RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"

Tue, 14 Mar 2006 01:42:39 -0800 

that's a fairly naive request to make by your customer, after they've not taken 
appropriate care and screwed their servers - and I'm sure you'd even be willing 
to do this after hours, so it shouldn't hurt them much.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Dienstag, 14. März 2006 10:25
To: ActiveDir.org
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

Thanks guido, the other issue is that they don't want me rebooting servers. I 
may have to be a little more forceful.

Mark
-----Original Message-----
From: "Grillenmeier, Guido" <[EMAIL PROTECTED]>
Date: Tue, 14 Mar 2006 08:12:06 
To:<[email protected]>
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

I'd certainly vote for the demotion approach - this can't be an environment 
where thousands of changes have occured on the various DCs - they would have 
had RID issues etc... Especially if you only have 3 DCs left that are 
"misbehaving", I seriously doubt that you'd lose much more than a few PW resets 
and maybe some group-changes and maybe a new user.  
 
You could investigate the differences between DCs by using DSASTAT from the 
support tools - for example, the following command will show you if you have 
different users in your Sales OU between DC1 and DC2:   
   
dsastat –s:DC1;DC2   –b:OU=Sales,DC=Domain,DC=com –gcattrs:all –sort:true 
–t:false   –p:16 –filter:"(&(objectclass=user)(!objectClass=computer))"
 
for more infos, see: 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
 
 
 
The "They don't have dedicated hardware for most DC's and it is a real mare." 
argument doesn't really count => a demotion should typically not hurt the other 
apps on your DCs, that's what the /forcedemotion option was added for...  It's 
a different story, that the DC shouldn't host other apps, but it's certainly 
not a reason not to force-demote it. 
 
When you've checked the differences between the DCs, you'll likely feel more 
comfortable doing a forced demotion of the faulty DCs, a metadata cleanup in 
the domain, and then a re-promotion of the machines to DCs of your domain.  And 
fixing that user-profile for that one new user that you'd then have to 
re-create is not a big deal either :-) 
 
/Guido
 
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Dienstag, 14. März 2006 00:18
To: [email protected]
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

 
 
That's a shame.  But if that's the way it has to be, then that's the way it has 
to be.  You *might* want to suggest virtualization as a way to save hardware 
costs and still maintain somewhat dedicated small dc's.  They'll save on 
consulting costs in the long run if they do something similar AND fix the 
monitoring processes :) 
 
Demoting the DC's would still be my first choice in the road to recovery. It's 
not my gig, but I typically suggest it as a way to ensure that things are 
solid.  With the approach you're taking, you'll always have that smoldering 
fire to work with.  Dedicated hardware concerns? For the price of about an hour 
of the consultants time, they could likely come up with a desktop that could be 
used in the interim as a DC until the other one in the site can be rebuilt. 
Painful? Yes. The best thing long-term? In most situations, most definitely. 
 
In the end, it's your call along with the customer.  This is just my $0.04 
worth from a distance. 
 
Best of luck and all that. 
 
Al

 
On 3/13/06, Mark Parris <[EMAIL PROTECTED]> wrote:   
   
   
Why – Because they   want to. I have suggested the demotion approach. They 
don't have dedicated   hardware for most DC's and it is a real mare. 
   
 
   
During the failings   they have treated each DC effectively as a domain and 
each DC has objects that   are vital but not replicated so I cannot just 
flatten it – if I could I would.   
   
 
   
I think I found one   of the reasons for the failings – over 15gbs worth of 
System state backups and   i386 in the SYSVOL which caused the DC's to keel 
over. 
   
 
   
Mark
   
 
   
   
       
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: [email protected]
Subject: Re: [ActiveDir] Not a line from   a song - "It has been too long since 
this machine   replicated"
   
   
 
   
   
I have to   ask: Why? Why bother taking that chance with that registry key vs. 
flattening   the DC and building new? To me, those DCs are suspect and should 
be shot   on site.  It's worth the extra effort and the hardware investment at 
this   point (it's really only one new server.  I'd be fine with a   desktop as 
a server if that's what it takes to get the AD back in shape;   until you could 
flatten and rebuild the existing server class hardware (big   assumption on my 
part)).  
   
   
 
   
   
Be sure   to address the issues that led to that kind of issue in the first 
place   prior to completing the fixes.  Otherwise, you'll be back.     
   
   
 
   
   
I also   have to ask: Are you working in one of the far reaches of my current 
employer   ;) ?
   
   
 
   
   

Al
 
   
   
On   3/13/06, Mark Parris <   [EMAIL PROTECTED]> wrote: 
   
   
Hello All,
   
This is for several beers at DEC   if you're there.
   
This week I am sorting out a   company whose AD has not fully replicated since 
July   2005!
   
They have 9 DC's All Windows   Server 2003 SP1 (Forest level 2003).
   
I have managed to most of get the   DC's talking to each other and I now have 
partial   replication, 
   
I have done this by setting the   registry key   Allow   Replication With 
Divergent and Corrupt Partner to 1 and I have   run   repadmin   
/removelingeringobjects ServerName ServerGUID DirectoryPartition   
(/advisory_mode ) on the server that is the PDC   emulator. 
   
I have three DC's which will not   replicate and I believe this is due to there 
being a password mismatch on the   DC Machine accounts so I will reset these 
tomorrow. 
   
Is there anything else I should be   aware of?
   
   
Mark
   
 
   

.+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§â²Ö«r¯zm§ÿðà  
šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà
[EMAIL PROTECTED]       ��V�r�y�&��-�����4���i�b��b��

Reply via email to