RE: [ActiveDir] Uninstallation

[mathif]

Title: Message



You 
shuld also remove that from the METABASE using NTDSUTIL  
ADSIEDIT.
FORCEREMOVAL will not replicate the changes and your PC is not in the LAN 
too, so its as good as format.
Most 
important! you shuld remove that from Active Directory Metabase. Its explained 
in KS KB articles
Try 
Googling!
Regards, Mohammed Athif Khaleel 
Asst.Network 
Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 
Moble.: +966-509774015 
Email: 
[EMAIL PROTECTED] "Save Internet, Keep all the systems patched" 
Web: 
http://alfaisaliah.com 
Local Time: 
GMT+3 

  
  -Original Message-From: Daniel Gilbert 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, 15 June 2004 
  5:11 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Uninstallation
  
  Try dcpromo 
  /forceremoval. This will remove AD from the server and turn it back into 
  a standalone.
  
  Dan
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Malachi 
  BurkeSent: Monday, June 14, 
  2004 5:17 PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] 
  Uninstallation
  
  Our new PDC from Dell 
  turns out to be physically damaged inside, so we're sending it back. I 
  want to remove AD from the system (for security reasons) but DCPROMO isn't 
  working because this DC is now off the LAN. It's off the LAN because I 
  successfully cloned (via NTbackup) its behavior to the replacement PDC which 
  now has its same name and IP address. Is there a quick and easy way to 
  wipe out AD without actually reformatting the system? 
  Thanks!
  
  Mal
  
  
  



  - 

 This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] . Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission.  Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus !
transmitted by this email. 

  - 

 

RE: [ActiveDir] User timeouts

[simon.geary]

This setting specifies the length of time before a computer will suspend an idle SMB 
session, it wont log your users off. For a less than glamerous, but effective, 
solution, check out Microsoft's winexit.scr screensaver.
-Original Message- 
From: [EMAIL PROTECTED] on behalf of Malachi Burke 
Sent: Tue 15/06/2004 02:55 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] User timeouts


Im trying to get users to automatically log out after a certain timeout 
setting.  Ive read all over setting the timeout settings in under 
 
Computer Configuration/Windows Settings/Security Settings/Local 
Policies/Security Options:
Amount of idle time required before suspending session
 
Is the way to go.  I set it to 15 minutes, but alas it appears to make no 
difference.  Any suggestions?
 
 
winmail.dat

RE: [ActiveDir] SID question

[cflesher]

That's what I suggested. We are doing a campus-wide AD project that is being 
run by Unix guys. They don't understand the technology. Plus, they don't trust 
Microsoft. They believe the account that is pushed from external LDAP is 
safer.but they don't want to make it difficult/impossible for users to use 
their legacy groups and recourcesthus the life of Microsoft Admins on 
campus.

Thanks for the heads up. 

Quoting Grillenmeier, Guido [EMAIL PROTECTED]:

 how about first _MOVING_ the accounts from the child domain to the root
 domain (can be done via ADMT or the movetree command) - then update
 these from your LDAP source afterwards.
  
 = user will keep GUID and UG/DLG memberships and will be dropped from
 GGs
 = user will keep same PW and other attributes (does not require PES)
 = user will get a new SID in and the old SID will be added to the
 SIDhistory of the user
 = local user profiles on Win2k/XP clients usually continue to work for
 the users (via GUID referrals), but not for NT4 (which only relies on
 SID to resolve profile path)
 
 /Guido
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher
 Sent: Montag, 14. Juni 2004 22:02
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] SID question
 
 
 Can a SID be copied from one account to another between domains in the
 same forest? The scenario is this: account is migrated using ADMT from
 NT4 domain into child domain in 2003 forest. An account with the same
 username is going to be copied into the root from an external LDAP
 source. One of the higher ups here wants to have the account in the root
 domain be what the user uses. So, he wants to know if the SID can be
 copied from the account in the child OU, and then have the child OU
 account deleted. I'm thinking no, but I wanted to make sure before
 telling him that.
  
  
 Thanks in advance.
  
 Chris Flesher
 The University of Chicago
 NSIT/DCS
 1-773-834-8477
  
 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SID question

[Eric Fleischman]

But if all else fails, you could programmatically populate sIDHistory
after the migration on your own. So long as the population takes place
under the context of a domain admin you could do this later.
MSDN documents an API DsAddSidHistory which can do this for you.

You didn't note the tool you are using, but if you are using ADMT, I'd
be sure to check out the help file on intraforest migration and the
closed set vs. open set considerations. There are things the tool will
do for you depending upon domain functional level of source and target,
etc. Preping your environment for an admt intraforest migration will
help you have a more smooth migration from end to end. And of course, a
little lab testing also helps.

But I'm totally with Guido.a little process will go a long way here.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 15, 2004 5:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] SID question

That's what I suggested. We are doing a campus-wide AD project that is
being 
run by Unix guys. They don't understand the technology. Plus, they don't
trust 
Microsoft. They believe the account that is pushed from external LDAP is

safer.but they don't want to make it difficult/impossible for users
to use 
their legacy groups and recourcesthus the life of Microsoft Admins
on 
campus.

Thanks for the heads up. 

Quoting Grillenmeier, Guido [EMAIL PROTECTED]:

 how about first _MOVING_ the accounts from the child domain to the
root
 domain (can be done via ADMT or the movetree command) - then update
 these from your LDAP source afterwards.
  
 = user will keep GUID and UG/DLG memberships and will be dropped from
 GGs
 = user will keep same PW and other attributes (does not require PES)
 = user will get a new SID in and the old SID will be added to the
 SIDhistory of the user
 = local user profiles on Win2k/XP clients usually continue to work
for
 the users (via GUID referrals), but not for NT4 (which only relies on
 SID to resolve profile path)
 
 /Guido
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher
 Sent: Montag, 14. Juni 2004 22:02
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] SID question
 
 
 Can a SID be copied from one account to another between domains in
the
 same forest? The scenario is this: account is migrated using ADMT from
 NT4 domain into child domain in 2003 forest. An account with the same
 username is going to be copied into the root from an external LDAP
 source. One of the higher ups here wants to have the account in the
root
 domain be what the user uses. So, he wants to know if the SID can be
 copied from the account in the child OU, and then have the child OU
 account deleted. I'm thinking no, but I wanted to make sure before
 telling him that.
  
  
 Thanks in advance.
  
 Chris Flesher
 The University of Chicago
 NSIT/DCS
 1-773-834-8477
  
 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Uninstallation

[Charlie Kaiser]

If you really want to keep the info on your HDs, remove the HDs from the
system before you send it back. Otherwise, why not reformat/fdisk/clear
array configs? If they're going to ship you another server, you're going to
have hardware/registry inconsistencies like MAC address. Personally, I
wouldn't take that chance on a DC. 
YMMV


**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

 -Original Message-
 From: Malachi Burke [mailto:[EMAIL PROTECTED] 
 Sent: Monday, June 14, 2004 5:17 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Uninstallation
 
 Our new PDC from Dell turns out to be physically damaged 
 inside, so we're sending it back.  I want to remove AD from 
 the system (for security reasons) but DCPROMO isn't working 
 because this DC is now off the LAN.  It's off the LAN because 
 I successfully cloned (via NTbackup) its behavior to the 
 replacement PDC which now has its same name and IP address.  
 Is there a quick and easy way to wipe out AD without actually 
 reformatting the system?  Thanks!
  
 Mal
  
  
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Eventlog management(OT)

[Kern, Tom]

I have a linux syslog server set up to centralize logging of all event viewer messages 
on my (30) Win2k servers via the Eventlog to Syslog utility.
My question to the group now is, how do you guys typically deal with all that info?
do you parse it with a perl script for errors and ignore the rest or have an email 
generated when a critical error occurs or just(god forbid) go thru them all each 
morning.
I'm the only admin here and dealing with 30 server's logs can really eat a huge chunk 
of my day. is ther a better cheap(free) way to optimize this?

thanks.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Export Permissions List

[Passo, Larry]

Or, DumpSec

http://www.somarsoft.com/













From: Deji Akomolafe [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 14, 2004 10:08
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Export
Permissions List









http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp











what, you are
scared of crowbars? ;)























Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I





Microsoft MVP -Directory Services





www.readymaids.com
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon

















From:
Noah Eiger
Sent: Mon 6/14/2004 9:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Export
Permissions List





Thanks. This does not seem to be in the Windows Server 2003
RK. Know where I can get it? Or is there something else (that does not require
a crowbar) to do the job?















From: Deji Akomolafe
[mailto:[EMAIL PROTECTED] 
Sent: Monday, June 14, 2004 8:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Export
Permissions List









xcacls C:\*.*
/Cc:\Perm_Reports.log will create such a huge report file.
depending on how many objects you have in the folder, the report may be so
large you'd need a crowbar to open it.



































Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I





Microsoft MVP
-Directory Services





http://www.readymaids.com/
- we know IT
www.akomolafe.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon





















From: Noah Eiger
Sent: Mon 6/14/2004 5:50 PM
To: Active
 Directory List
Subject: [ActiveDir] Export
Permissions List





Hi-

I think I saw this flash by on the list recently
I am looking for a tool to create a report of the NTFS security permissions on
folders on a drive. I have seen a reference to this command: CALCS C:\* /T /C
 C:\C Permissions.txt but that does not seem to work. Is that a
Unix command?

Any help appreciated.

nme



--

Noah M. Eiger

EIS Consulting for

PRBO Conservation Science

510-717-5742

[EMAIL PROTECTED]

[ActiveDir] DNS Server Architecture Recommendations

[Les B. Minaker]

We are about to deploy a Win2K3 infrastructureparallel to an existing Windows NT environment. Initially, the environments will exist separately, so I have a degree of leeway with respect to playing with settings.

Network Configuration:

We have 22 branch siteson-network and I want each local site to resolve DNS queries themselves. In order to do this, I will be deploying DC's that also are DNS servers to each branch. As I said above, the Win2K3 existing on a different plane of reality and really does not affect the existing NT users.

My question revolves around DNS configuration issues. Should I make each server a primary DNS server that is AD integrated or should I go with a single "master" DNS server (located in a secure Data Centre) and make every other DC a secondary zone. And, what are the reasons why one option is "better" than the other?


Les Minaker
[EMAIL PROTECTED]

This e-mail (including any attachments) is for the sole use of the intended recipient and may contain confidential information which may be protected by legal privilege. If you are not the intended recipient, please immediately notify me by reply e-mail, delete this e-mail and destroy any copies. Thank you.

RE: [ActiveDir] Eventlog management(OT)

[Ken Cornetet]

I typically don't look at the non-security event logs unless there is a
problem. I do periodically scan the security event logs to check for
problems there.

I used to try and proactively monitor the event logs, but, as you've
found, trying to separate the wheat from the chaff is an impossible task
anymore. I think it was Mark Twain who said that law was like sausage -
you should never watch either being made. I think AD and Exchange is
kind of like that...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, June 15, 2004 9:22 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Eventlog management(OT)


I have a linux syslog server set up to centralize logging of all event
viewer messages on my (30) Win2k servers via the Eventlog to Syslog
utility. My question to the group now is, how do you guys typically deal
with all that info? do you parse it with a perl script for errors and
ignore the rest or have an email generated when a critical error occurs
or just(god forbid) go thru them all each morning. I'm the only admin
here and dealing with 30 server's logs can really eat a huge chunk of my
day. is ther a better cheap(free) way to optimize this?

thanks.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Server Architecture Recommendations

[Deji Akomolafe]

There aremany reasons why you'd want to make them all AD-integrated. One is the fact that you have 22 branch offices. Remember that in the Primary/Secondary configuration, changes are made ONLY on the Primary server. Since youare allowed onlyone primary, think about what will be happening at the other 21 sites when records need to be registered. With AD-intg, changes/additions can be done at ANY server, so records can be registered locally.



Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP -Directory Services
www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Les B. MinakerSent: Tue 6/15/2004 8:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DNS Server Architecture Recommendations


We are about to deploy a Win2K3 infrastructureparallel to an existing Windows NT environment. Initially, the environments will exist separately, so I have a degree of leeway with respect to playing with settings.

Network Configuration:

We have 22 branch siteson-network and I want each local site to resolve DNS queries themselves. In order to do this, I will be deploying DC's that also are DNS servers to each branch. As I said above, the Win2K3 existing on a different plane of reality and really does not affect the existing NT users.

My question revolves around DNS configuration issues. Should I make each server a primary DNS server that is AD integrated or should I go with a single "master" DNS server (located in a secure Data Centre) and make every other DC a secondary zone. And, what are the reasons why one option is "better" than the other?


Les Minaker
[EMAIL PROTECTED]

This e-mail (including any attachments) is for the sole use of the intended recipient and may contain confidential information which may be protected by legal privilege. If you are not the intended recipient, please immediately notify me by reply e-mail, delete this e-mail and destroy any copies. Thank you.

RE: [ActiveDir] DNS Server Architecture Recommendations

[Centenni, Jason]

Yes if you have DNS on a DC it should
point to itself. There is often confusion about islanding but
this is not the case with this scenario. Here is
part of a thread I was working with MS when contemplating the same thing. 



http://support.microsoft.com/default.aspx?scid=kb;en-us;275278



This page also has some good DNS
information:



http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/bpaddsgn.mspx#XSLTsection129121120120



The advantages




 If the DNS Server Service does not respond (service is stopped,
 etc)  the DC will fail over to the DNS server specified as
 alternate 
 The Netlogon service will register SRV
 records on both himself and the server specified as alternate  this
 mitigates the island problem discussed in 275278.
 Windows Server 2003 has code built in to automatically register the cname record to an alternate DC (even though it is
 only pointing to itself) in an attempt to mitigate this
 problem. Windows 2000 DNS server does not do this.
 




Also  a couple other points we
should be aware of when discussing DNS behavior.




 If a DC is pointing to itself for DNS and another DC for alternate
  when it attempts to resolve a name and it looks to itself and does
 not get the answer back (because the record is not there)  then
 thats it  it will not go to the alternate. If the DC
 is authoritative for the zone in which the query was made  the DC
 wont check the alternate. 
 If a client is pointing to a DC for DNS  it make no
 difference what DNS servers are specified on the DCs TCP/IP
 settings. The same rules apply to the client as outlined in
 #1. If the clients primary does not respond  it will
 move to the alternate, but it wont move to the alternate if it cant
 find the record in the zone for which the DC is authoritative.
 














From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Les B. Minaker
Sent: Tuesday, June 15, 2004 10:04
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DNS Server
Architecture Recommendations









We are about to deploy a Win2K3
infrastructureparallel to an existing Windows NT environment. Initially,
the environments will exist separately, so I have a degree of leeway with
respect to playing with settings.











Network Configuration:











We have 22 branch siteson-network and I want each
local site to resolve DNS queries themselves. In order to do this, I will be
deploying DC's that also are DNS servers to each branch. As I said above, the
Win2K3 existing on a different plane of reality and really does not affect the
existing NT users.











My question revolves around DNS configuration issues. Should
I make each server a primary DNS server that is AD integrated or should I go
with a single master DNS server (located in a secure Data Centre)
and make every other DC a secondary zone. And, what are the reasons why one
option is better than the other?















Les Minaker





[EMAIL PROTECTED]











This e-mail (including any attachments) is for the sole use
of the intended recipient and may contain confidential information which may be
protected by legal privilege. If you are not the intended recipient, please
immediately notify me by reply e-mail, delete this e-mail and destroy any
copies. Thank you.

[ActiveDir] Replication problem related to large groups.

[jonathan . r . meyer]

Right now in our 
Active Directory environment we have 2 groups with 80,000 people or so. I 
know that this is bad and we are working to fix it. Replication was 
working before we tried to promote three DCsto W2K3. Now after the 
promotion, we are getting errors with the Event ID: 623. I think the 
replication of the large groups is the long-running transaction. Would it 
help if the version store max size was larger, and if so howdo I increase 
it? Below is the Event Log entry I get.


NTDS (576) NTDSA: The version store for this instance (0) has 
reached its maximum size of 104Mb. It is likely that a long-running transaction 
is preventing cleanup of the version store and causing it to build up in size. 
Updates will be rejected until the long-running transaction has been completely 
committed or rolled back. 
Possible long-running transaction: 
SessionId: 0x00B705A0 
Session-context: 0x 
Session-context ThreadId: 0x0A78 
Cleanup: 
1This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.

[ActiveDir] Roaming GPO

[Michael Wassell]

Concern: One of the senior managers bought a 
laptop for herself to use as a home PC, as well as bring into the office 
regularly to use for convenience purposes.

Problem: The problem was aside from the obvious 
security issues involved with doing that,domain-level GPO's which restrict 
users from access to command prompt, opening certain applications from within 
the Help application, as well as quite a few other Windows utilities that could 
potentially be harmful have been blocked and enforced. The problem was 
particularly relating to the restrictive GPO applying to the user account when 
logging into the desktop, as opposed to logging into the laptop. Instead 
of having 2 seperate user profiles and confusing the user as to which user 
profile should be used and where, I did this:

Solution:

1.Created a domain-wide GPO that applied to a specific 
security group in ADto reverse certain restrictions if certain conditions 
are met
2. Assign the 
computer and user permissions to the group (to be sure that the GPO is 
controlled and only appliesfor aspecific user on a specific 
computer)
3.Write 
a simple WMI filter to only apply to computers with a PCMCIA controller (to 
prevent the policy from applying on the desktop). 

And of course I 
"bulletproofed" the laptop as best I could to make sure that it's not going to 
become a mobile virus hive...However, I do not expect that the user 
will become infected as the only email she receives is from Verizon and from the 
company network, and she is not prone to visiting obscure websites or opening 
any suspicious attachments.

Reason for doing 
this was mainly because the same solution can be used for more than a single 
user with minimal configuration on the same laptop or on seperate laptops 
without any issues and minimal security concerns.

I am wondering if 
there may be a better way of doing this?

Thanks in 
advance!

RE: [ActiveDir] Replication problem related to large groups.

[Grillenmeier, Guido]

not bad, especially since AD prior to 2003 (at 2003 forest 
functional level, whichactivates LVR - link valure replication) only 
supports roughly 5.000 members to a group, due to these version store 
limitations... I doubt you can increase the storage for the version store, 
but an intermins solution would be to split your users into mulitple groups and 
nest them - then, after you've increased the FFL to 2003, re-add all of them to 
the original group but don't add more than 5.000 at a time. LVR no longer 
has a group-size limitation, but still has the version store limitation for the 
changes.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Dienstag, 15. Juni 2004 
19:37To: [EMAIL PROTECTED]Subject: [ActiveDir] 
Replication problem related to large groups.

 
Right now in our 
Active Directory environment we have 2 groups with 80,000 people or so. I 
know that this is bad and we are working to fix it. Replication was 
working before we tried to promote three DCsto W2K3. Now after the 
promotion, we are getting errors with the Event ID: 623. I think the 
replication of the large groups is the long-running transaction. Would it 
help if the version store max size was larger, and if so howdo I increase 
it? Below is the Event Log entry I get.


NTDS (576) NTDSA: The version store for this instance (0) has 
reached its maximum size of 104Mb. It is likely that a long-running transaction 
is preventing cleanup of the version store and causing it to build up in size. 
Updates will be rejected until the long-running transaction has been completely 
committed or rolled back. 
Possible long-running transaction: 
SessionId: 0x00B705A0 
Session-context: 0x 
Session-context ThreadId: 0x0A78 
Cleanup: 1

This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information. If you have received it in error, 
please notify the sender immediately and delete the original. Any other use of 
the email by you is prohibited. 

RE: [ActiveDir] Replication problem related to large groups.

[David Adner]

Problems deploying new DC's is one of the issues with having such large
groups.  I'm unaware of a fix beyond getting the groups smaller. 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 [EMAIL PROTECTED]
 Sent: Tuesday, June 15, 2004 12:37
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Replication problem related to large groups.
 
   
 Right now in our Active Directory environment we have 2 
 groups with 80,000 people or so.  I know that this is bad and 
 we are working to fix it.  Replication was working before we 
 tried to promote three DCs to W2K3.  Now after the promotion, 
 we are getting errors with the Event ID: 623.  I think the 
 replication of the large groups is the long-running 
 transaction.  Would it help if the version store max size was 
 larger, and if so how do I increase it?  Below is the Event 
 Log entry I get.
  
 NTDS (576) NTDSA: The version store for this instance (0) has 
 reached its maximum size of 104Mb. It is likely that a 
 long-running transaction is preventing cleanup of the version 
 store and causing it to build up in size. Updates will be 
 rejected until the long-running transaction has been 
 completely committed or rolled back. 
 
 Possible long-running transaction: 
 
 SessionId: 0x00B705A0 
 
 Session-context: 0x 
 
 Session-context ThreadId: 0x0A78 
 
 Cleanup: 1
 
 This message is for the designated recipient only and may 
 contain privileged, proprietary, or otherwise private 
 information. If you have received it in error, please notify 
 the sender immediately and delete the original. Any other use 
 of the email by you is prohibited.
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Eventlog management(OT)

[Sean Johnson]

On Tue, 2004-06-15 at 10:22, Kern, Tom wrote:
 I have a linux syslog server set up to centralize logging of all event viewer 
 messages on my (30) Win2k servers via the Eventlog to Syslog utility.
 My question to the group now is, how do you guys typically deal with all that info?
 do you parse it with a perl script for errors and ignore the rest or have an email 
 generated when a critical error occurs or just(god forbid) go thru them all each 
 morning.
 I'm the only admin here and dealing with 30 server's logs can really eat a huge 
 chunk of my day. is ther a better cheap(free) way to optimize this?

I have the windows servers logging to a linux box running syslog-ng, which
allows for some very nice filtering at the syslog level. So right off the 
bat each server has its own log file. Then I'm writing a perl script that walks
through each server's logfile and parses it for different level issues, ERROR, 
WARNING, and INFO. These then form the basis of reports that are emailed
out periodically.



signature.asc
Description: This is a digitally signed message part

Re: [ActiveDir] NTDS Replication Problems

[Steve Patrick]

Do you have the full text for the 12294 error? The 
error data may be of interest here.

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, June 15, 2004 8:57 
AM
  Subject: [ActiveDir] NTDS Replication 
  Problems 
  Here is something interesting, 
  if anyone have any insight it would be greatly appreciated: 
  1) Yesterday we began receiving 
  the following in our System Event Logs on our DCs: Source: SAM EventID: 12294 User: 
  INT\Administrator Computer: MIADINT01 
  - this is one of our DC's The SAM database was unable to lockout the account of  due to a 
  resource error, such as a hard disk write failure (the specific error code is 
  in the error data) . Accounts are locked after a certain number of bad 
  passwords are provided so please consider resetting the password of the 
  account mentioned above. 2) Within 
  the same timeframe I started seeing these errors within the Directory Service 
  Event Log: Source: NTDS 
  Replication EventID: 1083 
  User: Everyone Computer: MIADINT01 Replication warning: The directory is busy. It 
  couldn't update object 
  CN=Administrator,CN=Users,DC=int,DC=dci,DC=discovery,DC=com with changes made 
  by directory 06d69760-9822-4b9b-a48b-c194eb5c1477._msdcs.dci.discovery.com. 
  Will try again later. Around the 
  same time, the domain admin for the INT domain reported that all of this user 
  accounts were being locked out. Also, there are serious replication issues 
  between the site where the server MIADINT01 resides and the rest of the 
  domain. During troubleshooting, I turned off Anonymous Access to SAM Accts and 
  Shares on the domain level policy and kicked of manual repliaction. 
  This leads me to beleive one of 
  the following: 1) A hack attempt 
  was being generated against the SAM database from an outside source. 
  Interestly enought there is a group of computers that reside in the site where 
  the DC's reside, and these systems cannot be patched and have AV installed. 
  Once anonymous access was stopped the SAM/12294 errors subsided. 
  or 2) NTDS replication was in bad enough shape that 
  accounts were being locked out (seems unlikely). Within our Miami site, we 
  deleted NTDS replication objects that pointed to sites that Miami had trouble 
  replicating to. So, if anyone 
  has any advice and/or just wants to comment on these, I would be interested in 
  hearing from you. Thanks, 
  Justin L.