Metadata cleanup of existing DCs can solve many issues. :o) Doing it offline, doubly so. ;o)
To the OP, hwo many users do you have in the groups in question and what OS is your DCs and what forest functional mode are you in? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, July 14, 2005 6:38 AM To: [email protected] Subject: RE: [ActiveDir] Latency in Group membership What is metadata cleanup? What is offline metadata cleanup? I only know of metadata cleanup, and it is online, and only for removing dead servers from AD, DO NOT use it on live servers. ... and no metadata cleanup will not help. :) Also I should mention that in Windows 2003, with the advent of Link Value Replication (LVR), these issues have basically been abolished. In order to get LVR, you need to upgrade all DCs to Win2k3, then switch the forest functional mode (and maybe a few other supporting modes along the way). Unfortunately, I wouldn't consider this a "spring cleaning" type of task though. :P A littel more planning than that would be a good idea. Cheers, BrettSh [msft] SDE, though I didn't write the LVR stuff. This posting is provided "AS IS" with no warranties, and confers no rights. On Thu, 14 Jul 2005, McCann, Danny wrote: > Hi > > That's a highly likely explanation. Some re-organisation of the > groups/membership required then. We're due a spring clean anyway. :) > Is an offline Metadata cleanup worthwhile performing? > > Thanks to all for the advice. Much appreciated! > > Cheers > > Danny > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: 14 July 2005 10:33 > To: [email protected] > Subject: RE: [ActiveDir] Latency in Group membership > > > > My gut says that it is not a member of a lot of groups, but more a > group with too many memberships ... > > If you have too many values for a group (the official soft limit is > 5000), then you can get write conflict, or version store issues, that > can cause the group membership change to not be applied because of a > timing issue or resource issues, that may be temporary. Replication > continues to try, and eventually succeeds. This could be an > explanation. > > Cheers, > BrettSh [msft] > SDE > > On Thu, 14 Jul 2005, McCann, Danny wrote: > > > Hi > > > > We do have the odd user who is member of a large number of groups > > (~20). How many is too many? Looks like a lot of investigative work > > required then. Oh well, coffee on and sleeves rolled up! > > > > Cheers > > > > Danny > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of joe > > Sent: 14 July 2005 04:36 > > To: [email protected] > > Subject: RE: [ActiveDir] Latency in Group membership > > > > > > You need to determine what your replication latency is. If the > group > > membership is set on an authenticating DC, you will get it is in > > your token unless there are other issues like having way too many > > group memberships or something else that causes a kerberos issue. So > > again, look at how long your latency is for making a chance and > > seeing it on all DCs. > > > > _____ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny > > Sent: Wednesday, July 13, 2005 10:18 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Latency in Group membership > > > > > > Hi > > > > There are no apps running on the DC's. The event logs are clean, > but > > there is the occasional directory replication problem (every few > > days), a single object with "directory busy, will try again later", > > which will then succeed on the next replication. But they pass all > > the > > > DCDiag tests. > > > > Cheers > > > > Danny > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > > Sent: 13 July 2005 13:18 > > To: [email protected] > > Subject: RE: [ActiveDir] Latency in Group membership > > > > > > What apps are running on the DC's? Have you checked to be sure > > that replication is functioning correctly? Event logs clean? > > > > Al > > > > _____ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny > > Sent: Wednesday, July 13, 2005 4:33 AM > > To: [email protected] > > Subject: [ActiveDir] Latency in Group membership > > > > > > > > Hi > > > > Recently our domain has began to show some latency in > resolving > > group membership. > > Ie When someone is newly added to a group for access to a > > particular resource it's now taking much longer than was the norm to > > > resolve that security. It's taking anything from 30mins to the next > > day to resolve itself. > > > > Logging off and back on again to clear the kerberos ticket doesn't > > (usually) solve the problem. > > I've tested AD and monitored some NTDS performance counters and > > everything appears to be fine. > > Network performance is good and there's no great loading on any of > > the DC's. > > > > I'd be grateful if anyone could help me out with some > guidance on > > where to look next. > > > > Thanks > > > > Danny > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
