RE: [ActiveDir] Ntds.dit file corruption

[Eric Fleischman]

Title: [ActiveDir] Ntds.dit file corruption

Going back to the original post, I'm not sure I fully understand the problem yet.

Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any.

 

 

---

From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Sat 12/3/2005 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ntds.dit file corruption

SBS box [with Windows 2003 sp1 since September]

RE: [ActiveDir] Database Corruption:
http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html

We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
and PSS have been banging on.  Could not get the services back running,
changed the RPC service to local system and some service came back up [I
don't have all the details but the consultant opened a support case of
SRX051202605433].

Bottom line they are about going to give up and start a restore but
before they do that I'd like to get the view of the AD gods and
goddesses around here.  From all that I've seen, read, seen in the SBS
newsgroup, the corruption of ntds.dit is rare to nil and an underlying
cause is hardware issues [raid, disk subsystem].  This doesn't just
happen.

The VAP asked if not properly excluding the ad databases from the a/v
would cause this/trigger this and my expectation is 'no', given that I
doubt the majority of us in SBSland properly set up exclusions
Virus scanning recommendations on a Windows 2000 or on a Windows Server
2003 domain controller:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158

If this were my hardware and box, I'd be putting this sucker on the
operating table and getting an autopsy before putting it back online.

Are we right in being paranoid now about this hardware?  For you guys in
big server land you'd just slide over another box into that server role.

---------------------------------------
Stupid question alert....

Okay so we know that having a secondary/additional domain controller is
a good thing even in SBSland...but question.... many times the second
server in SBSland is a terminal server box because we do not support TS
in app mode on our PDCs. So we've established that having a domain
controller and a terminal server is a security issue [see Windows
Security resource kit, NIST Terminal services hardening guide, etc
etc....]  If our second server is a member server handing out TS
externally, should that be a candidate for the additional DC?  Are the
issues of TS on a DC ... true for 'any' DC?  Would it be better than to
Vserver/VPC a Win2k3 inside a workstation in the network if a third
server box was not feasible?

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/