Nice boss my boss always wants to know if something has gone wrong --- Who does he fire ;)
C -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 04 July 2005 10:08 PM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit If we aren't having fun, we are doing the wrong thing. This stuff isn't worth it if it isn't fun. My boss always tells me, have fun. If I am not having fun, he wants to know so we can work on correcting it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, July 02, 2005 1:26 PM To: [email protected] Subject: RE: [ActiveDir] Corrupted NTDS.dit Steve, I'm glad that you do find the humor here. It does exist - and many times, it's just more obvious than others. Heck, if there wasn't the gigging each other and the occasional off color comments, this would be just like work! Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, July 01, 2005 11:35 PM To: [email protected] Subject: Re: [ActiveDir] Corrupted NTDS.dit I don't post real often but besides slashdot postings being a bit humorous. This list ranks right up there in making me laugh. Some of these posts are even funnier when I've had a few beers..Don't figure. Happy 4th weekend... Steve ----- Original Message ----- From: "Rocky Habeeb" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, July 01, 2005 4:00 PM Subject: RE: [ActiveDir] Corrupted NTDS.dit > joe (dog), > > Please send me a >complete< list of MS docs that are ... "confusing", > "wrong" and "dangerous". OK ... forget the confusing, just the "wrong" > and > "dangerous." > > "YMYMYM" > > Rocky > > _______________________________________ > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of joe > Sent: Friday, July 01, 2005 3:01 PM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > > Now this is a fun note chain. ;o) > > To further clarify what Dean has so eloquently said. MS sometimes makes > mistakes in documentation. As a general rule I look at MS documentation > more > as propoganda until otherwise proven correct, it tends to be safer that > way. > Most of it is great, a lot of it is confusing, some of it is wrong, some > of > it is outright dangerous. This is why there are many folks who submit > changes to MS to get implemented into the documentation. I myself probably > submit 5-10 KB changes a month, probably double that to MSDN per month. > > The comment "You do not want the DC's that exist to use the old cname > record." is incorrect. The existence of it in DNS will not force the DC to > use it. However, cleaning up after a demotion, failed or otherwise, is > generally a good idea to do. I was simply trying to illustrate, as Dean > indicated, that it won't actually cause a failure. > > I also want to point out the part Dean indicated about the value of this > list. This is an incredible list, there can be a lot of side chatter but > you > can learn things here that you won't find anywhere else. We have a ton of > well known authors, Microsoft employees from > PSS(ROSS/CPR/Other)/MCS/Dev(AD/JET)/Enterprise Computing, some of the top > consultants in the industry, programmers, admins (from the smallest to the > largest deployments), and we even have Rick Kingslan and sometimes let him > post. The list isn't really just about posting a KB and sending someone on > their way, you will often get a lot of opinion on the KB and/or the poster > as well substantial background information on how things work and how they > REALLY work. > > No one should really take anything personally or as an attack, it is just > a > bunch of geeks trying to help each other out with varying levels of social > and writing skills. As I once told a Microsoft Manager, I don't care if > your > consultant kicks me every day when he sees me, as long as he knows what he > is talking about I want him around. Oh there is one time there is personal > attacks, it is every time Guido tries to confront me on Domain Local > Groups > versus Universal groups. That is entirely personal. He even brought it up > in > a DEC Conference to really dig me. Of course it doesn't bother too badly > because I know I'm right. ;o) > > Ok, now where is my g/f. She snuck out to get her hair done when we were > supposed to be getting ready to go up north for the weekend and I have > been > waiting for 3 hours for her to get back! > > Reh! > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: Friday, July 01, 2005 2:27 PM > To: Send - AD mailing list > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > Hehehe ... I'm feeling neither confused nor mislead, though your last > comment did evoke one response; mild annoyance, but it was fleeting ;o) > > I've no doubt that the article's instructions will work as (like many KB > articles) they serve as an all encompassing solution. Referencing the KB > article's URL is also likely to be of use to Kevin who originally asked > the > question but this (and many other technical forums like it) offer a great > deal of additional value since much of the commentary falls outside the > scope of the vendors technical database (and often goes against the grain > of > related KBs). I responded to the part of your post from which I'd > understood you were indicating that just such an aspect of Joe's post was > inaccurate, which IMO, it isn't. > > -- > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 1:55 PM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > http://support.microsoft.com/?kbid=216498 > > Maybe now you won't feel so confused or mislead. > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: Friday, July 01, 2005 1:09 PM > To: Send - AD mailing list > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > When you say 'from Microsoft', may I ask where? > > IMHO, much of the statement is inaccurate at worst and misleading or > confusing at best. > > -- > > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 1:00 PM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > This is from Microsoft: > > > Remove the cname record in the _msdcs.root domain of forest zone in DNS. > Assuming that DC is going to be reinstalled and re-promoted, a new NTDS > Settings object is created with a new GUID and a matching cname record in > DNS. You do not want the DC's that exist to use the old cname record. > > > This is what I was trying to convey to you. Sorry if there was any > confusion. > > Mike- > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells > Sent: Friday, July 01, 2005 11:41 AM > To: Send - AD mailing list > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > I don't follow you, ALL remaining DCs will still have the retired DC's > metadata until such time as it is 'cleaned up'. Joe is not suggesting > anything to the contrary, he is stating that the since the DC GUID will be > reseeded during the promotion that CNAME resolution alone will not cause > replication to fail. The replication relationship between two DCs is > expressed by a connection object, the connection object's fromServer > property refers to the DN of a DC's NTDS Settings object (its metadata), > the > objectGUID property of the DC's NTDS Settings object is used to seed each > DC's DC GUID which is, in turn, registered in DNS by each DC's respective > NETLOGON service (along with a number of SRV records and A records). > > Joe's point is simply this; once the source DC used during the promotion > of > the newly reborn DC has pushed the new metadata out, a replication > topology > will be built by the existing DCs inclusive of the new DC. > Connection objects will then be created pointing to the new DCs NTDS > Settings object which will in turn provide the existing DCs with a means > of > resolving it (replication latency and/or DNS cache TTLs accepted). > > -- > > Dean Wells > MSEtechnology > * Email: [EMAIL PROTECTED] > http://msetechnology.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 11:11 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > That is correct for a new Domain Controller. However, if a Domain > Controller > is re-promoted before the old CNAME records are cleaned up, there may be > other Domain Controllers in the Domain that still have the OLD CNAME > record > with the old GUID and if there are different GUIDs for the same host name, > replication problems can happen. > > This is why they recommend running a metadata cleanup and removing any old > records before promoting the DC again. It is also recommended that you > remove the old FRS entries using ADSI Edit. > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, July 01, 2005 10:16 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > That really still shouldn't be an issue unless I am missing something > here. > Please bear with me. > > The mapping in DNS isn't hostname to GUID, it is GUID to hostname. When a > DC > wants to replicate with this new DC, it will use the new GUID and that > shouldn't exist in DNS until the repromoed DC registers it. > > Prior to registration the GUID would be unresolvable and no replication > would be allowed[1]. I used to use that for stopping DC's from pulling > replication from a specific DC - usually when the troublesome DC was on > the > end of a misbehaving WAN connection and I was experiencing rough RPC and > excessive timeouts. > > Once registered, the GUID would be found and translated to a hostname > which > can in turn be resolved to an IP. This would in turn allow for the > replication to work again. > > joe > > > > > [1] At least pre-K3 SP1, I haven't checked it since but I know there are > supposed to be changes. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 9:58 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > It will be a problem if the other Domain Controllers have different CNAME > records in root/_msdcs for the new Domain Controller. > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, July 01, 2005 9:44 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > >> If the server is promoted again the GUID will be different and will >> cause File Replication problems among other things. > > It really shouldn't be an issue. > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tetrault, Mike > (OFT) > Sent: Friday, July 01, 2005 9:02 AM > To: [email protected] > Subject: RE: [ActiveDir] Corrupted NTDS.dit > > As long as you still have a Domain Controller with a "good" copy of the > Active Directory Database, I would just demote it and then run dcpromo to > promote it again. Make sure you check that the CNAME and SRV records in > DNS > are removed after the demotion. If the server is promoted again the GUID > will be different and will cause File Replication problems among other > things. I would also recommend running ntdsutil to perform a MetaData > cleanup of the server object you are demoting before you promote it again. > Microsoft has a procedure for doing this on the website if you are not > familiar with it. > > > > > Mike Tetrault > OFT > 40 North Pearl St. Albany, NY > (518) 402-9300 > > > -------------------------------------------------------- > This e-mail, including any attachments, may be confidential, privileged or > otherwise legally protected. It is intended only for the addressee. > If you received this e-mail in error or from someone who was not > authorized > to send it to you, do not disseminate, copy or otherwise use this e-mail > or > its attachments. Please notify the sender immediately by reply e-mail and > delete the e-mail from your system. > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, June 30, 2005 12:17 PM > To: [email protected] > Subject: [ActiveDir] Corrupted NTDS.dit > > Hi, > I have a corrupt NTDS.dit file with no backup, although the windows > 2003 DC starts up fine and partially replicates to my other 4 DC's. Can > someone tell me the best steps to restore this file. This particular DC > is > also the FSMO holder. I was considering transferring the role > temporarily, > demoting and then promoting this DC and having DCPROMO rewrite the > NTDS.dit. > Is this suicide? Thanks in advance > > Kevin Atnip > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
