joe (dog), Please send me a >complete< list of MS docs that are ... "confusing", "wrong" and "dangerous". OK ... forget the confusing, just the "wrong" and "dangerous."
"YMYMYM" Rocky _______________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, July 01, 2005 3:01 PM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit Now this is a fun note chain. ;o) To further clarify what Dean has so eloquently said. MS sometimes makes mistakes in documentation. As a general rule I look at MS documentation more as propoganda until otherwise proven correct, it tends to be safer that way. Most of it is great, a lot of it is confusing, some of it is wrong, some of it is outright dangerous. This is why there are many folks who submit changes to MS to get implemented into the documentation. I myself probably submit 5-10 KB changes a month, probably double that to MSDN per month. The comment "You do not want the DC's that exist to use the old cname record." is incorrect. The existence of it in DNS will not force the DC to use it. However, cleaning up after a demotion, failed or otherwise, is generally a good idea to do. I was simply trying to illustrate, as Dean indicated, that it won't actually cause a failure. I also want to point out the part Dean indicated about the value of this list. This is an incredible list, there can be a lot of side chatter but you can learn things here that you won't find anywhere else. We have a ton of well known authors, Microsoft employees from PSS(ROSS/CPR/Other)/MCS/Dev(AD/JET)/Enterprise Computing, some of the top consultants in the industry, programmers, admins (from the smallest to the largest deployments), and we even have Rick Kingslan and sometimes let him post. The list isn't really just about posting a KB and sending someone on their way, you will often get a lot of opinion on the KB and/or the poster as well substantial background information on how things work and how they REALLY work. No one should really take anything personally or as an attack, it is just a bunch of geeks trying to help each other out with varying levels of social and writing skills. As I once told a Microsoft Manager, I don't care if your consultant kicks me every day when he sees me, as long as he knows what he is talking about I want him around. Oh there is one time there is personal attacks, it is every time Guido tries to confront me on Domain Local Groups versus Universal groups. That is entirely personal. He even brought it up in a DEC Conference to really dig me. Of course it doesn't bother too badly because I know I'm right. ;o) Ok, now where is my g/f. She snuck out to get her hair done when we were supposed to be getting ready to go up north for the weekend and I have been waiting for 3 hours for her to get back! Reh! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 01, 2005 2:27 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Corrupted NTDS.dit Hehehe ... I'm feeling neither confused nor mislead, though your last comment did evoke one response; mild annoyance, but it was fleeting ;o) I've no doubt that the article's instructions will work as (like many KB articles) they serve as an all encompassing solution. Referencing the KB article's URL is also likely to be of use to Kevin who originally asked the question but this (and many other technical forums like it) offer a great deal of additional value since much of the commentary falls outside the scope of the vendors technical database (and often goes against the grain of related KBs). I responded to the part of your post from which I'd understood you were indicating that just such an aspect of Joe's post was inaccurate, which IMO, it isn't. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike (OFT) Sent: Friday, July 01, 2005 1:55 PM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit http://support.microsoft.com/?kbid=216498 Maybe now you won't feel so confused or mislead. Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 01, 2005 1:09 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Corrupted NTDS.dit When you say 'from Microsoft', may I ask where? IMHO, much of the statement is inaccurate at worst and misleading or confusing at best. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike (OFT) Sent: Friday, July 01, 2005 1:00 PM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit This is from Microsoft: Remove the cname record in the _msdcs.root domain of forest zone in DNS. Assuming that DC is going to be reinstalled and re-promoted, a new NTDS Settings object is created with a new GUID and a matching cname record in DNS. You do not want the DC's that exist to use the old cname record. This is what I was trying to convey to you. Sorry if there was any confusion. Mike- Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, July 01, 2005 11:41 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Corrupted NTDS.dit I don't follow you, ALL remaining DCs will still have the retired DC's metadata until such time as it is 'cleaned up'. Joe is not suggesting anything to the contrary, he is stating that the since the DC GUID will be reseeded during the promotion that CNAME resolution alone will not cause replication to fail. The replication relationship between two DCs is expressed by a connection object, the connection object's fromServer property refers to the DN of a DC's NTDS Settings object (its metadata), the objectGUID property of the DC's NTDS Settings object is used to seed each DC's DC GUID which is, in turn, registered in DNS by each DC's respective NETLOGON service (along with a number of SRV records and A records). Joe's point is simply this; once the source DC used during the promotion of the newly reborn DC has pushed the new metadata out, a replication topology will be built by the existing DCs inclusive of the new DC. Connection objects will then be created pointing to the new DCs NTDS Settings object which will in turn provide the existing DCs with a means of resolving it (replication latency and/or DNS cache TTLs accepted). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike (OFT) Sent: Friday, July 01, 2005 11:11 AM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit That is correct for a new Domain Controller. However, if a Domain Controller is re-promoted before the old CNAME records are cleaned up, there may be other Domain Controllers in the Domain that still have the OLD CNAME record with the old GUID and if there are different GUIDs for the same host name, replication problems can happen. This is why they recommend running a metadata cleanup and removing any old records before promoting the DC again. It is also recommended that you remove the old FRS entries using ADSI Edit. Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, July 01, 2005 10:16 AM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit That really still shouldn't be an issue unless I am missing something here. Please bear with me. The mapping in DNS isn't hostname to GUID, it is GUID to hostname. When a DC wants to replicate with this new DC, it will use the new GUID and that shouldn't exist in DNS until the repromoed DC registers it. Prior to registration the GUID would be unresolvable and no replication would be allowed[1]. I used to use that for stopping DC's from pulling replication from a specific DC - usually when the troublesome DC was on the end of a misbehaving WAN connection and I was experiencing rough RPC and excessive timeouts. Once registered, the GUID would be found and translated to a hostname which can in turn be resolved to an IP. This would in turn allow for the replication to work again. joe [1] At least pre-K3 SP1, I haven't checked it since but I know there are supposed to be changes. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike (OFT) Sent: Friday, July 01, 2005 9:58 AM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit It will be a problem if the other Domain Controllers have different CNAME records in root/_msdcs for the new Domain Controller. Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, July 01, 2005 9:44 AM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit > If the server is promoted again the GUID will be different and will > cause File Replication problems among other things. It really shouldn't be an issue. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike (OFT) Sent: Friday, July 01, 2005 9:02 AM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit As long as you still have a Domain Controller with a "good" copy of the Active Directory Database, I would just demote it and then run dcpromo to promote it again. Make sure you check that the CNAME and SRV records in DNS are removed after the demotion. If the server is promoted again the GUID will be different and will cause File Replication problems among other things. I would also recommend running ntdsutil to perform a MetaData cleanup of the server object you are demoting before you promote it again. Microsoft has a procedure for doing this on the website if you are not familiar with it. Mike Tetrault OFT 40 North Pearl St. Albany, NY (518) 402-9300 -------------------------------------------------------- This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 30, 2005 12:17 PM To: [email protected] Subject: [ActiveDir] Corrupted NTDS.dit Hi, I have a corrupt NTDS.dit file with no backup, although the windows 2003 DC starts up fine and partially replicates to my other 4 DC's. Can someone tell me the best steps to restore this file. This particular DC is also the FSMO holder. I was considering transferring the role temporarily, demoting and then promoting this DC and having DCPROMO rewrite the NTDS.dit. Is this suicide? Thanks in advance Kevin Atnip List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
