BDC....
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A Contr WROCI/Enterprise IT
Sent: Monday, December 05, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ntds.dit file corruption
Novell.....
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Monday, December 05, 2005 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ntds.dit file corruption
I was
not aware that Microsoft had incorporated such a feature in AD 2003. I know for
a fact that Microsoft did not have this feature when AD 2000 was first released
because I mentioned it to several Microsoft AD & premier support
specialists and they each confirmed it was not available ( However it may have
been added in a service pack ).
I
would love to know how to enable a read only DC. I think that is a great idea, I
wonder who thought of it. :-)
Sincerely,
Jose Medeiros
ADP | National Account
Services
ProBusiness Division | Information Services
925.737.7967 |
408-449-6621 CELL
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil Renouf
Sent: Monday, December 05, 2005 11:04 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruptionWill Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that?Phil
On 12/5/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.
Maybe I am just being a worry wort and this really is not an issue.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, December 05, 2005 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ntds.dit file corruption
I did? :-) I think I still said all I know is what the poster said :-)
I think I need a course in event log reading because even with the logs,
and the default size of the logs, I still don't see a smoking gun. The
directory services one is filled with events 'post' blow up.
What is interesting is that it seems to me big server land goes .. oh
yeah... ntds.dit corruption... and sbsland freaks out. Either we do
indeed need to ensure we have a secondary DC or we need to park a second
copy of a system state offsite [say at the vap/var]
Brett Shirley wrote:
> She replied offline, very likely a single bit flip, tragedy, they aren't
> one release later (Longhorn), where this would've probably been
> non-disruptively handled, logged, and possibly self-healed:
> http://blogs.technet.com/efleis/archive/2005/01.aspx
>
> Anyway, this kind of thing is usually hardware ...
>
> While there are much better disk sub-system testers, one that is freely
> available to any box with Exchange is jetstress. You might give that a
> try. If you can reproduce the event / error with jetstress I would not
> use that box in production.
>
> If you do reproduce the issue several times (several times is key, as you
> want a trend before you start playing the variable game), some things
> you might vary (one at a time):
>
> - Try making sure you have the latest driver and motherboard / controller
> firmware. Then see if you can reproduce.
>
> - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on
> RAID5.
>
> - Try swapping out the hard drives, one at a time.
>
> - Adding the jetstress files to the exclude list in the Anti-Virus
> software. (A low probablility, I've never heard of Anit-Virus causing this
> paticular type of error, and I can't imagine the mistake an anti-virus
> product would have to have to cause this side effect)
>
> - If you can reproduce it several times, you could followup with Dell.
> Good luck.
>
> I'm not sure if I answered your question ...
>
> Cheers,
> BrettSh
>
>
> On Sun, 4 Dec 2005, Eric Fleischman wrote:
>
>
>> Going back to the original post, I'm not sure I fully understand the
>> problem yet. Susan, can you define "ntds.dit file corruption" for us?
>> What sort of corruption? What errors/events lead you to believe this?
>> Specifically, I'm interested in errors from NTDS ISAM or ESE if you
>> have any.
>>
>>
>>
>> ________________________________
>>
>> From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Sat 12/3/2005 10:58 PM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] Ntds.dit file corruption
>>
>>
>>
>> SBS box [with Windows 2003 sp1 since September]
>>
>> RE: [ActiveDir] Database Corruption:
>> http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html
>>
>> We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant
>> and PSS have been banging on. Could not get the services back running,
>> changed the RPC service to local system and some service came back up [I
>> don't have all the details but the consultant opened a support case of
>> SRX051202605433].
>>
>> Bottom line they are about going to give up and start a restore but
>> before they do that I'd like to get the view of the AD gods and
>> goddesses around here. From all that I've seen, read, seen in the SBS
>> newsgroup, the corruption of ntds.dit is rare to nil and an underlying
>> cause is hardware issues [raid, disk subsystem]. This doesn't just
>> happen.
>>
>> The VAP asked if not properly excluding the ad databases from the a/v
>> would cause this/trigger this and my expectation is 'no', given that I
>> doubt the majority of us in SBSland properly set up exclusions
>> Virus scanning recommendations on a Windows 2000 or on a Windows Server
>> 2003 domain controller:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>>
>> If this were my hardware and box, I'd be putting this sucker on the
>> operating table and getting an autopsy before putting it back online.
>>
>> Are we right in being paranoid now about this hardware? For you guys in
>> big server land you'd just slide over another box into that server role.
>>
>> ---------------------------------------
>> Stupid question alert....
>>
>> Okay so we know that having a secondary/additional domain controller is
>> a good thing even in SBSland...but question.... many times the second
>> server in SBSland is a terminal server box because we do not support TS
>> in app mode on our PDCs. So we've established that having a domain
>> controller and a terminal server is a security issue [see Windows
>> Security resource kit, NIST Terminal services hardening guide, etc
>> etc....] If our second server is a member server handing out TS
>> externally, should that be a candidate for the additional DC? Are the
>> issues of TS on a DC ... true for 'any' DC? Would it be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the network if a third
>> server box was not feasible?
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>>
>>
>>
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
