True.. But by bringing it up ( Which is what you did when your SBS server's NTDS.DIT file became Corrupt ) we hopefully can encourage the Microsoft team that monitiors this list into incoprating such features in the next release.
Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 10:08 AM To: [email protected] Subject: Re: [ActiveDir] Ntds.dit file corruption True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: > Hi Susan, > > With all do respect, I think you missed the point. The concept of having a > read only DC is similar to a BDC since a BDC only has a read only copy of the > PDC's database. In some situations you may want a read only DC at a small > remote office. Which would help reduce replication traffic. > > Also most technologies are built on past concepts and are hierarchical. > Understanding one concept helps you to understand the logic in another. > > Peace! > > > Sincerely, > Jose Medeiros > ADP | National Account Services > ProBusiness Division | Information Services > 925.737.7967 | 408-449-6621 CELL > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Tuesday, December 06, 2005 9:28 AM > To: [email protected] > Subject: Re: [ActiveDir] Ntds.dit file corruption > > > "Additional Domain controller" > BDC is a nt4 concept and in my book NT4 is dead ;-) > > Medeiros, Jose wrote: > >> BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but >> no you do not have an option to choose. >> >> Sincerely, >> Jose Medeiros >> ADP | National Account Services >> ProBusiness Division | Information Services >> 925.737.7967 | 408-449-6621 CELL >> >> >> -----Original Message----- >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim >> *Sent:* Monday, December 05, 2005 7:38 PM >> *To:* [email protected] >> *Subject:* RE: [ActiveDir] Ntds.dit file corruption >> >> BDC.... >> >> ------------------------------------------------------------------------ >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] *On Behalf Of >> *Carpenter Robert A Contr WROCI/Enterprise IT >> *Sent:* Monday, December 05, 2005 5:33 PM >> *To:* [email protected] >> *Subject:* RE: [ActiveDir] Ntds.dit file corruption >> >> Novell..... >> >> ------------------------------------------------------------------------ >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] *On Behalf Of >> *Medeiros, Jose >> *Sent:* Monday, December 05, 2005 11:24 AM >> *To:* [email protected] >> *Subject:* RE: [ActiveDir] Ntds.dit file corruption >> >> I was not aware that Microsoft had incorporated such a feature in >> AD 2003. I know for a fact that Microsoft did not have this >> feature when AD 2000 was first released because I mentioned it to >> several Microsoft AD & premier support specialists and they each >> confirmed it was not available ( However it may have been added in >> a service pack ). >> >> I would love to know how to enable a read only DC. I think that is >> a great idea, I wonder who thought of it. :-) >> >> Sincerely, >> Jose Medeiros >> ADP | National Account Services >> ProBusiness Division | Information Services >> 925.737.7967 | 408-449-6621 CELL >> >> >> -----Original Message----- >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of *Phil >> Renouf >> *Sent:* Monday, December 05, 2005 11:04 AM >> *To:* [email protected] >> *Subject:* Re: [ActiveDir] Ntds.dit file corruption >> >> Will Read Only DC's take care of this? I don't know much about >> them yet, but it makes sense that if the copy of the dit that >> a DC has is RO that it won't try to replicate that anywhere >> and would only be the recipient of replication. Anyone with >> more knowledge about how RO DC's will work to comment on that? >> >> Phil >> >> >> On 12/5/05, *Medeiros, Jose* <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> wrote: >> >> Well at least the corruption occurred on just a single DC. >> One thing that has bugged me about Active Directory is not >> being able to select if you want a DC in a remote office >> to not have the ability to replicate back in a large >> enterprise environment. Since most remote offices only >> have a few people at the location and a DC is usually >> placed for improvised logon and authentication time, many >> companies will either use a very low end server or a very >> old decommissioned one from their production data center ( >> Which is probably close to useable life ). I am always >> concerned that once the NTDS.DIT file becomes corrupt it >> will replicate the corruption to the other DC's in the >> Forrest. >> >> Maybe I am just being a worry wort and this really is not >> an issue. >> >> >> >> Sincerely, >> Jose Medeiros >> ADP | National Account Services >> ProBusiness Division | Information Services >> 925.737.7967 | 408-449-6621 CELL >> >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> [mailto:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>]On Behalf Of >> Susan Bradley, >> CPA aka Ebitz - SBS Rocks [MVP] >> Sent: Monday, December 05, 2005 8:53 AM >> To: [email protected] >> <mailto:[email protected]> >> Subject: Re: [ActiveDir] Ntds.dit file corruption >> >> >> I did? :-) I think I still said all I know is what the >> poster said :-) >> >> I think I need a course in event log reading because even >> with the logs, >> and the default size of the logs, I still don't see a >> smoking gun. The >> directory services one is filled with events 'post' blow up. >> >> What is interesting is that it seems to me big server land >> goes .. oh >> yeah... ntds.dit corruption... and sbsland freaks >> out. Either we do >> indeed need to ensure we have a secondary DC or we need to >> park a second >> copy of a system state offsite [say at the vap/var] >> >> Brett Shirley wrote: >> > She replied offline, very likely a single bit flip, >> tragedy, they aren't >> > one release later (Longhorn), where this would've >> probably been >> > non-disruptively handled, logged, and possibly self-healed: >> > http://blogs.technet.com/efleis/archive/2005/01.aspx >> > >> > Anyway, this kind of thing is usually hardware ... >> > >> > While there are much better disk sub-system testers, one >> that is freely >> > available to any box with Exchange is jetstress. You >> might give that a >> > try. If you can reproduce the event / error with >> jetstress I would not >> > use that box in production. >> > >> > If you do reproduce the issue several times (several >> times is key, as you >> > want a trend before you start playing the variable >> game), some things >> > you might vary (one at a time): >> > >> > - Try making sure you have the latest driver and >> motherboard / controller >> > firmware. Then see if you can reproduce. >> > >> > - Try a different RAID configuration, such as >> RAID1/RAID1+0 if you're on >> > RAID5. >> > >> > - Try swapping out the hard drives, one at a time. >> > >> > - Adding the jetstress files to the exclude list in the >> Anti-Virus >> > software. (A low probablility, I've never heard of >> Anit-Virus causing this >> > paticular type of error, and I can't imagine the mistake >> an anti-virus >> > product would have to have to cause this side effect) >> > >> > - If you can reproduce it several times, you could >> followup with Dell. >> > Good luck. >> > >> > I'm not sure if I answered your question ... >> > >> > Cheers, >> > BrettSh >> > >> > >> > On Sun, 4 Dec 2005, Eric Fleischman wrote: >> > >> > >> >> Going back to the original post, I'm not sure I fully >> understand the >> >> problem yet. Susan, can you define "ntds.dit file >> corruption" for us? >> >> What sort of corruption? What errors/events lead you to >> believe this? >> >> Specifically, I'm interested in errors from NTDS ISAM >> or ESE if you >> >> have any. >> >> >> >> >> >> >> >> ________________________________ >> >> >> >> From: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> on behalf of >> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >> >> Sent: Sat 12/3/2005 10:58 PM >> >> To: [email protected] >> <mailto:[email protected]> >> >> Subject: [ActiveDir] Ntds.dit file corruption >> >> >> >> >> >> >> >> SBS box [with Windows 2003 sp1 since September] >> >> >> >> RE: [ActiveDir] Database Corruption: >> >> >> >> http://www.mail-archive.com/[email protected]/msg32676.html >> >> >> >> We have a SBS 2003 sp1 box with a corrupt ntds.dit that >> the Consultant >> >> and PSS have been banging on. Could not get the >> services back running, >> >> changed the RPC service to local system and some >> service came back up [I >> >> don't have all the details but the consultant opened a >> support case of >> >> SRX051202605433]. >> >> >> >> Bottom line they are about going to give up and start a >> restore but >> >> before they do that I'd like to get the view of the AD >> gods and >> >> goddesses around here. From all that I've seen, read, >> seen in the SBS >> >> newsgroup, the corruption of ntds.dit is rare to nil >> and an underlying >> >> cause is hardware issues [raid, disk subsystem]. This >> doesn't just >> >> happen. >> >> >> >> The VAP asked if not properly excluding the ad >> databases from the a/v >> >> would cause this/trigger this and my expectation is >> 'no', given that I >> >> doubt the majority of us in SBSland properly set up >> exclusions >> >> Virus scanning recommendations on a Windows 2000 or on >> a Windows Server >> >> 2003 domain controller: >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 >> >> >> >> If this were my hardware and box, I'd be putting this >> sucker on the >> >> operating table and getting an autopsy before putting >> it back online. >> >> >> >> Are we right in being paranoid now about this >> hardware? For you guys in >> >> big server land you'd just slide over another box into >> that server role. >> >> >> >> --------------------------------------- >> >> Stupid question alert.... >> >> >> >> Okay so we know that having a secondary/additional >> domain controller is >> >> a good thing even in SBSland...but question.... many >> times the second >> >> server in SBSland is a terminal server box because we >> do not support TS >> >> in app mode on our PDCs. So we've established that >> having a domain >> >> controller and a terminal server is a security issue >> [see Windows >> >> Security resource kit, NIST Terminal services hardening >> guide, etc >> >> etc....] If our second server is a member server >> handing out TS >> >> externally, should that be a candidate for the >> additional DC? Are the >> >> issues of TS on a DC ... true for 'any' DC? Would it >> be better than to >> >> Vserver/VPC a Win2k3 inside a workstation in the >> network if a third >> >> server box was not feasible? >> >> >> >> List info : http://www.activedir.org/List.aspx >> <http://www.activedir.org/List.aspx> >> >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> <http://www.mail-archive.com/activedir%40mail.activedir.org/> >> >> >> >> >> >> >> >> >> > >> > List info : http://www.activedir.org/List.aspx >> > List FAQ : http://www.activedir.org/ListFAQ.aspx >> > List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> > >> > >> >> -- >> Letting your vendors set your risk analysis these days? >> http://www.threatcode.com >> >> List info : http://www.activedir.org/List.aspx >> <http://www.activedir.org/List.aspx> >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> <http://www.mail-archive.com/activedir%40mail.activedir.org/> >> >> >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> <http://www.activedir.org/ListFAQ.aspx> >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> >> > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
