In the Microsoft book it is dead too. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 12:28 PM To: [email protected] Subject: Re: [ActiveDir] Ntds.dit file corruption
"Additional Domain controller" BDC is a nt4 concept and in my book NT4 is dead ;-) Medeiros, Jose wrote: > BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but > no you do not have an option to choose. > > Sincerely, > Jose Medeiros > ADP | National Account Services > ProBusiness Division | Information Services > 925.737.7967 | 408-449-6621 CELL > > > -----Original Message----- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim > *Sent:* Monday, December 05, 2005 7:38 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Ntds.dit file corruption > > BDC.... > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of > *Carpenter Robert A Contr WROCI/Enterprise IT > *Sent:* Monday, December 05, 2005 5:33 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Ntds.dit file corruption > > Novell..... > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of > *Medeiros, Jose > *Sent:* Monday, December 05, 2005 11:24 AM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Ntds.dit file corruption > > I was not aware that Microsoft had incorporated such a feature in > AD 2003. I know for a fact that Microsoft did not have this > feature when AD 2000 was first released because I mentioned it to > several Microsoft AD & premier support specialists and they each > confirmed it was not available ( However it may have been added in > a service pack ). > > I would love to know how to enable a read only DC. I think that is > a great idea, I wonder who thought of it. :-) > > Sincerely, > Jose Medeiros > ADP | National Account Services > ProBusiness Division | Information Services > 925.737.7967 | 408-449-6621 CELL > > > -----Original Message----- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of *Phil > Renouf > *Sent:* Monday, December 05, 2005 11:04 AM > *To:* [email protected] > *Subject:* Re: [ActiveDir] Ntds.dit file corruption > > Will Read Only DC's take care of this? I don't know much about > them yet, but it makes sense that if the copy of the dit that > a DC has is RO that it won't try to replicate that anywhere > and would only be the recipient of replication. Anyone with > more knowledge about how RO DC's will work to comment on that? > > Phil > > > On 12/5/05, *Medeiros, Jose* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Well at least the corruption occurred on just a single DC. > One thing that has bugged me about Active Directory is not > being able to select if you want a DC in a remote office > to not have the ability to replicate back in a large > enterprise environment. Since most remote offices only > have a few people at the location and a DC is usually > placed for improvised logon and authentication time, many > companies will either use a very low end server or a very > old decommissioned one from their production data center ( > Which is probably close to useable life ). I am always > concerned that once the NTDS.DIT file becomes corrupt it > will replicate the corruption to the other DC's in the > Forrest. > > Maybe I am just being a worry wort and this really is not > an issue. > > > > Sincerely, > Jose Medeiros > ADP | National Account Services > ProBusiness Division | Information Services > 925.737.7967 | 408-449-6621 CELL > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>]On Behalf Of > Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Monday, December 05, 2005 8:53 AM > To: [email protected] > <mailto:[email protected]> > Subject: Re: [ActiveDir] Ntds.dit file corruption > > > I did? :-) I think I still said all I know is what the > poster said :-) > > I think I need a course in event log reading because even > with the logs, > and the default size of the logs, I still don't see a > smoking gun. The > directory services one is filled with events 'post' blow up. > > What is interesting is that it seems to me big server land > goes .. oh > yeah... ntds.dit corruption... and sbsland freaks > out. Either we do > indeed need to ensure we have a secondary DC or we need to > park a second > copy of a system state offsite [say at the vap/var] > > Brett Shirley wrote: > > She replied offline, very likely a single bit flip, > tragedy, they aren't > > one release later (Longhorn), where this would've > probably been > > non-disruptively handled, logged, and possibly self-healed: > > http://blogs.technet.com/efleis/archive/2005/01.aspx > > > > Anyway, this kind of thing is usually hardware ... > > > > While there are much better disk sub-system testers, one > that is freely > > available to any box with Exchange is jetstress. You > might give that a > > try. If you can reproduce the event / error with > jetstress I would not > > use that box in production. > > > > If you do reproduce the issue several times (several > times is key, as you > > want a trend before you start playing the variable > game), some things > > you might vary (one at a time): > > > > - Try making sure you have the latest driver and > motherboard / controller > > firmware. Then see if you can reproduce. > > > > - Try a different RAID configuration, such as > RAID1/RAID1+0 if you're on > > RAID5. > > > > - Try swapping out the hard drives, one at a time. > > > > - Adding the jetstress files to the exclude list in the > Anti-Virus > > software. (A low probablility, I've never heard of > Anit-Virus causing this > > paticular type of error, and I can't imagine the mistake > an anti-virus > > product would have to have to cause this side effect) > > > > - If you can reproduce it several times, you could > followup with Dell. > > Good luck. > > > > I'm not sure if I answered your question ... > > > > Cheers, > > BrettSh > > > > > > On Sun, 4 Dec 2005, Eric Fleischman wrote: > > > > > >> Going back to the original post, I'm not sure I fully > understand the > >> problem yet. Susan, can you define "ntds.dit file > corruption" for us? > >> What sort of corruption? What errors/events lead you to > believe this? > >> Specifically, I'm interested in errors from NTDS ISAM > or ESE if you > >> have any. > >> > >> > >> > >> ________________________________ > >> > >> From: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> on behalf of > Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] > >> Sent: Sat 12/3/2005 10:58 PM > >> To: [email protected] > <mailto:[email protected]> > >> Subject: [ActiveDir] Ntds.dit file corruption > >> > >> > >> > >> SBS box [with Windows 2003 sp1 since September] > >> > >> RE: [ActiveDir] Database Corruption: > >> > http://www.mail-archive.com/[email protected]/msg32676.html > >> > >> We have a SBS 2003 sp1 box with a corrupt ntds.dit that > the Consultant > >> and PSS have been banging on. Could not get the > services back running, > >> changed the RPC service to local system and some > service came back up [I > >> don't have all the details but the consultant opened a > support case of > >> SRX051202605433]. > >> > >> Bottom line they are about going to give up and start a > restore but > >> before they do that I'd like to get the view of the AD > gods and > >> goddesses around here. From all that I've seen, read, > seen in the SBS > >> newsgroup, the corruption of ntds.dit is rare to nil > and an underlying > >> cause is hardware issues [raid, disk subsystem]. This > doesn't just > >> happen. > >> > >> The VAP asked if not properly excluding the ad > databases from the a/v > >> would cause this/trigger this and my expectation is > 'no', given that I > >> doubt the majority of us in SBSland properly set up > exclusions > >> Virus scanning recommendations on a Windows 2000 or on > a Windows Server > >> 2003 domain controller: > >> > http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 > >> > >> If this were my hardware and box, I'd be putting this > sucker on the > >> operating table and getting an autopsy before putting > it back online. > >> > >> Are we right in being paranoid now about this > hardware? For you guys in > >> big server land you'd just slide over another box into > that server role. > >> > >> --------------------------------------- > >> Stupid question alert.... > >> > >> Okay so we know that having a secondary/additional > domain controller is > >> a good thing even in SBSland...but question.... many > times the second > >> server in SBSland is a terminal server box because we > do not support TS > >> in app mode on our PDCs. So we've established that > having a domain > >> controller and a terminal server is a security issue > [see Windows > >> Security resource kit, NIST Terminal services hardening > guide, etc > >> etc....] If our second server is a member server > handing out TS > >> externally, should that be a candidate for the > additional DC? Are the > >> issues of TS on a DC ... true for 'any' DC? Would it > be better than to > >> Vserver/VPC a Win2k3 inside a workstation in the > network if a third > >> server box was not feasible? > >> > >> List info : http://www.activedir.org/List.aspx > <http://www.activedir.org/List.aspx> > >> List FAQ : http://www.activedir.org/ListFAQ.aspx > >> List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > <http://www.mail-archive.com/activedir%40mail.activedir.org/> > >> > >> > >> > >> > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > -- > Letting your vendors set your risk analysis these days? > http://www.threatcode.com > > List info : http://www.activedir.org/List.aspx > <http://www.activedir.org/List.aspx> > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > <http://www.mail-archive.com/activedir%40mail.activedir.org/> > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > <http://www.activedir.org/ListFAQ.aspx> > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
