I wanted to document some stuff I learned this week. We finally have a K3 load with all of the stuff the company wants in it and tested, etc so we started deploying some K3 domain controllers.
I tested this all out in our Exchange lab of course and it all worked well, in fact K3 DCs running in Virtual Server partitions were responding to queries faster than 2K DC running on physical hardware. It was nice. Note that I asked PSS first for a list of issues that could be encountered with K3 domain controllers with E2K. Still haven't gotten a response but on my own found that you can't increase your functionality mode as LVR will break the RUS and the ADC. The ADC won't be an issue shortly but the RUS obviously will be. The RUS has to be put on an E2K3 machine. There are KB articles for that. So anyway, my promotion of the DCs into production goes very well with very quick promotions. My DIT files shrank up nicely as predicted. I started one of the DCs on the road to becoming a full fledged GC and it got through all partitions but my european partition, it stopped dead there and started exclaiming SCHEMA MISMATCH!!! I being who I am thought several choice cuss words at first and then thought, could it be? No. But could it? No. Well... No. Decided I should contact MS but thought, well I better PROVE there isn't a schema mismatch first before I tell them there isn't or else they are just going to ask me to prove it or go off and try to do it themselves. So I dump the schemas from the source and destination and do a windiff... Wham. Mismatches all over. Oh... Objects in different orders, attributes in different orders, whenchanged different, etc... Ok so I write a perl script to parse the schema text file dumps and then normalize the info so I can do a windiff. All done, beauty, Schema's are identical. I will post that script or a link to it on the joeware site within the next few days or so as I figure others may find it useful as well. I will clean it up and I also want to make it handle doing easy compares between forests. Also checked the operations done for the forest/domain to make sure everything is correct. Had 53 ops done on some Domains, 50 done on others. Kind of scary. To cut to the chase on that one, seems that depending on the hotfixes on your machine, you can have different ops done to correct things. This isn't documented in KB309628. Also when I moved PDC an additional GUID popped up in the domain ops that the article says should be in the forest ops. I will put everything together and send one note to MS on those doc issues. So I gather all of the data, send it off to MS. We work through it turning up diagnostics, etc and in the end the issue becomes some bad data on a multivalued attribute of a printer object was preventing the replication from occurring. Somehow some bad binary garbage data got into the unicode string attribute and AD was flagging it as a Schema Mismatch error... The object was being flagged in the event log with a message of unable to replicate due to schema mismatch. Now this isn't a happy making thing from several standpoints. 1. Horrible error message. 2. If rules are going to be enforced that could prevent AD from replicating because of one bad field, we should have a tool available that can read through a partition and verify every attribute and object for correctness so if we run into an issue, we can verify the state of the directory. Actually this second one I think needs to be done for Exchange too. You can run it against a forest, a domain, or a user to verify that the data is valid for Exchange. We have had several issues where bad data made it into an Exchange attribute and it caused Exchange to have a heartattack. For instance we once had X400:X400:<x400 address> in our proxy address attributes due to a bug in an MCS script and how the ADC moved things around. No one knew it for quite a while and people were looking at the attributes of the user objects regularly. Being able to verify the data would have helped. MS indicated there are some (or a) fix in SP1 that will help a little with this one. Oh my production DIT files for GCs shrank from just under 8GB to about 4.5GB. Anyway, hopefully this is helpful to others out there in case they run into similar things. ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
