Interesting... I have "Audit: Shutdown system immediately if unable to log security audits" set to disabled and security log size configured to 128Mb (DCs GPO)
We are keeping 3 months back of security logs, hence the GPO is configured not to override the security logs. DCs have a scheduled task that pops up once a day and archives/clears the security logs - not the state of the art solution, but does the work without purchasing any additional software. I would love to give MOM a try, but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. So in this configuration, if booted with full security logs, I experience the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - verified that by adding peer DC to builtin Administrators group and the replication resumed. Am I missing something or this is not the desired behavior when the DC is configured not to crash on audit ? Thanks, Guy On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: > I suppose in theory, setting it to crash on full is also a security risk > since it could be used to cause a denial of service. > > I'd guess that if you have something that siphons off the logs on submit > event, then it could be a workable solution. I'd have to say I'm not > impressed with a lot of the tools currently out there that do this due to > the overhead they place on the machine, but it could be done. MOM Server is > a good way to get this done IIRC. > > I'm guessing that's what you had in mind, Rick? Something that clears it as > it is written, vs a timed deal? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick > Sent: Monday, August 23, 2004 9:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > I have had the same problem, but setting the logs to overwrite is bad system > administration. IF a person attempt to break passwords, thy can just flood > the server with requests and eventually the log will clear. > The best solution is to have the logs cleared by a script or third party > utility to clear and archive the logs every night. > > > > Rick Gasper > Manager, Network Services > King's College > 133 N. River St > Wilkes-Barre PA 18711 > PH: 570-208-5845 > Fax: 570-208-6072 > Cell: 570-760-0335 > [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. > Sent: Monday, August 23, 2004 6:48 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > Guy, > > One way to avoid the problems of a full security log is to set the logs to > overwrite as needed. You can set this via group policy. > > I don't know if the kerberos ticket is cached or not. (I suspect not.) When > a machine reconnects to the network and you attempt to access a network > resource, the resource will ask for you ticket. If you don't have one, or > if it is out of date, the client will request a new kerberos ticket and then > be authenticated to the resource. > > Denny > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Friday, August 20, 2004 8:48 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] By design or configurable ? > > > > > > In my environment, when W2K3 DC boots with security logs full, the > > replication from that DC stops till the security log is cleared and > > the box is rebooted. > > The interesting thing is that after the security logs become full > > (while the box is online) the replication continues to work till the > > box is rebooted with full log. > > > > So the question is whether this can be prevented (we do have a routine > > which takes care of security logs archiving, but it failed on one of > > the DCs and I would like to prevent the replication from breaking > > again). > > > > And another OT question: > > When logging on to XP with cached credentials, is the Kerberos ticket > > cached too ? And if yes, what happens when the ticket expires and the > > box is reconnected to the network: will it seamlessly try to renew the > > ticked ? > > > > Thanks, > > Guy > > > > -- > > Smith & Wesson - the original point and click interface > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
