RE: [ActiveDir] Latency in Group membership

Thu, 14 Jul 2005 02:25:30 -0700

Title: Message
Hi
 
We do have the odd user who is member of a large number of groups (~20). How many is too many?
Looks like a lot of investigative work required then. Oh well, coffee on and sleeves rolled up!
 
Cheers
 
Danny
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 14 July 2005 04:36
To: [email protected]
Subject: RE: [ActiveDir] Latency in Group membership

You need to determine what your replication latency is. If the group membership is set on an authenticating DC, you will get it is in your token unless there are other issues like having way too many group memberships or something else that causes a kerberos issue. So again, look at how long your latency is for making a chance and seeing it on all DCs.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Wednesday, July 13, 2005 10:18 AM
To: [email protected]
Subject: RE: [ActiveDir] Latency in Group membership

Hi
 
There are no apps running on the DC's. The event logs are clean, but there is the occasional directory replication problem (every few days), a single object with "directory busy, will try again later", which will then succeed on the next replication. But they pass all the DCDiag tests.
 
Cheers
 
Danny
 
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 13 July 2005 13:18
To: [email protected]
Subject: RE: [ActiveDir] Latency in Group membership

What apps are running on the DC's? Have you checked to be sure that replication is functioning correctly?  Event logs clean?
 
Al

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Wednesday, July 13, 2005 4:33 AM
To: [email protected]
Subject: [ActiveDir] Latency in Group membership

Hi

Recently our domain has began to show some latency in resolving group membership.
Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself.

Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem.
I've tested AD and monitored some NTDS performance counters and everything appears to be fine.
Network performance is good and there's no great loading on any of the DC's.

I'd be grateful if anyone could help me out with some guidance on where to look next.

Thanks

Danny

Reply via email to