Hi That's a highly likely explanation. Some re-organisation of the groups/membership required then. We're due a spring clean anyway. :) Is an offline Metadata cleanup worthwhile performing?
Thanks to all for the advice. Much appreciated! Cheers Danny -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: 14 July 2005 10:33 To: [email protected] Subject: RE: [ActiveDir] Latency in Group membership My gut says that it is not a member of a lot of groups, but more a group with too many memberships ... If you have too many values for a group (the official soft limit is 5000), then you can get write conflict, or version store issues, that can cause the group membership change to not be applied because of a timing issue or resource issues, that may be temporary. Replication continues to try, and eventually succeeds. This could be an explanation. Cheers, BrettSh [msft] SDE On Thu, 14 Jul 2005, McCann, Danny wrote: > Hi > > We do have the odd user who is member of a large number of groups > (~20). How many is too many? Looks like a lot of investigative work > required then. Oh well, coffee on and sleeves rolled up! > > Cheers > > Danny > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: 14 July 2005 04:36 > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > You need to determine what your replication latency is. If the group > membership is set on an authenticating DC, you will get it is in your > token unless there are other issues like having way too many group > memberships or something else that causes a kerberos issue. So again, > look at how long your latency is for making a chance and seeing it on > all DCs. > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny > Sent: Wednesday, July 13, 2005 10:18 AM > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > Hi > > There are no apps running on the DC's. The event logs are clean, but > there is the occasional directory replication problem (every few > days), a single object with "directory busy, will try again later", > which will then succeed on the next replication. But they pass all the > DCDiag tests. > > Cheers > > Danny > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: 13 July 2005 13:18 > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > What apps are running on the DC's? Have you checked to > be sure that replication is functioning correctly? Event logs clean? > > Al > > _____ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny > Sent: Wednesday, July 13, 2005 4:33 AM > To: [email protected] > Subject: [ActiveDir] Latency in Group membership > > > > Hi > > Recently our domain has began to show some latency in resolving > group membership. > Ie When someone is newly added to a group for access to > a particular resource it's now taking much longer than was the norm to > resolve that security. It's taking anything from 30mins to the next > day to resolve itself. > > Logging off and back on again to clear the kerberos > ticket doesn't (usually) solve the problem. > I've tested AD and monitored some NTDS performance > counters and everything appears to be fine. > Network performance is good and there's no great loading > on any of the DC's. > > I'd be grateful if anyone could help me out with some guidance on > where to look next. > > Thanks > > Danny > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
