My gut says that it is not a member of a lot of groups, but more a group with too many memberships ...
If you have too many values for a group (the official soft limit is 5000), then you can get write conflict, or version store issues, that can cause the group membership change to not be applied because of a timing issue or resource issues, that may be temporary. Replication continues to try, and eventually succeeds. This could be an explanation. Cheers, BrettSh [msft] SDE On Thu, 14 Jul 2005, McCann, Danny wrote: > Hi > > We do have the odd user who is member of a large number of groups (~20). > How many is too many? > Looks like a lot of investigative work required then. Oh well, coffee on > and sleeves rolled up! > > Cheers > > Danny > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 14 July 2005 04:36 > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > You need to determine what your replication latency is. If the > group membership is set on an authenticating DC, you will get it is in > your token unless there are other issues like having way too many group > memberships or something else that causes a kerberos issue. So again, > look at how long your latency is for making a chance and seeing it on > all DCs. > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny > Sent: Wednesday, July 13, 2005 10:18 AM > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > Hi > > There are no apps running on the DC's. The event logs are clean, > but there is the occasional directory replication problem (every few > days), a single object with "directory busy, will try again later", > which will then succeed on the next replication. But they pass all the > DCDiag tests. > > Cheers > > Danny > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: 13 July 2005 13:18 > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > What apps are running on the DC's? Have you checked to > be sure that replication is functioning correctly? Event logs clean? > > Al > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny > Sent: Wednesday, July 13, 2005 4:33 AM > To: [email protected] > Subject: [ActiveDir] Latency in Group membership > > > > Hi > > Recently our domain has began to show some latency in > resolving group membership. > Ie When someone is newly added to a group for access to > a particular resource it's now taking much longer than was the norm to > resolve that security. It's taking anything from 30mins to the next day > to resolve itself. > > Logging off and back on again to clear the kerberos > ticket doesn't (usually) solve the problem. > I've tested AD and monitored some NTDS performance > counters and everything appears to be fine. > Network performance is good and there's no great loading > on any of the DC's. > > I'd be grateful if anyone could help me out with some > guidance on where to look next. > > Thanks > > Danny > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
