You need to determine what your replication latency is. If
the group membership is set on an authenticating DC, you will get it is in your
token unless there are other issues like having way too many group memberships
or something else that causes a kerberos issue. So again, look at how long your
latency is for making a chance and seeing it on all DCs.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Wednesday, July 13, 2005 10:18 AM
To: [email protected]
Subject: RE: [ActiveDir] Latency in Group membership
Hi
There are no apps
running on the DC's. The event logs are clean, but there is the
occasional directory replication problem (every few days), a single object
with "directory busy, will try again later", which will then succeed on the
next replication. But they pass all the DCDiag tests.
Cheers
Danny
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 13 July 2005 13:18
To: [email protected]
Subject: RE: [ActiveDir] Latency in Group membershipWhat apps are running on the DC's? Have you checked to be sure that replication is functioning correctly? Event logs clean?Al
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Wednesday, July 13, 2005 4:33 AM
To: [email protected]
Subject: [ActiveDir] Latency in Group membershipHi
Recently our domain has began to show some latency in resolving group membership.
Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself.Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem.
I've tested AD and monitored some NTDS performance counters and everything appears to be fine.
Network performance is good and there's no great loading on any of the DC's.I'd be grateful if anyone could help me out with some guidance on where to look next.
Thanks
Danny
