RE: [ActiveDir] Not a line from a song - "It has been too long since this machine replicated"

[Mark Parris]

Well I got it all working - and yes I was not allowed to do a rebuild. What I 
wanted to do and was permitted to do were two separate things. No Lectures 
please - I know!!!!!

But I recon the problems may go away now that I have enabled several key 
services in the Hardware profiles tab on each service on all DC's(Including the 
KDC and Windows time Service)- All Automatic services stated started - but when 
I went to do a DC password reset I got 1058 error messages.

Now I just need them to move the SQL Servers off of their DC's and implement a 
monitoring solution (this is now someone else's battle as I have done what was 
required of me).

-----
Oh and I had a shock today - money is not an issue - the company's turnover 
last year was over £800 Million ($1,380 million), it's just bad design and lack 
of knowledge.

So I get a few days off now and then its spearmint rhino's with a rubber 
chicken. 

As a footnote I might suggest an Episode of CSI: Who killed the AD? (Contractor 
for hire).

Ciao.

Mark

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 14 March 2006 09:39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

That ol chestnut - 'fix the server without changing anything, nor without 
rebooting services nor the OS' :)

Enjoy, Mark :)

neil




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 14 March 2006 09:25
To: ActiveDir.org
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

Thanks guido, the other issue is that they don't want me rebooting servers. I 
may have to be a little more forceful.

Mark
-----Original Message-----
From: "Grillenmeier, Guido" <[EMAIL PROTECTED]>
Date: Tue, 14 Mar 2006 08:12:06
To:<ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

I'd certainly vote for the demotion approach - this can't be an environment 
where thousands of changes have occured on the various DCs - they would have 
had RID issues etc... Especially if you only have 3 DCs left that are 
"misbehaving", I seriously doubt that you'd lose much more than a few PW resets 
and maybe some group-changes and maybe a new user.  
 
You could investigate the differences between DCs by using DSASTAT from the 
support tools - for example, the following command will show you if you have 
different users in your Sales OU between DC1 and DC2:   
   
dsastat –s:DC1;DC2   –b:OU=Sales,DC=Domain,DC=com –gcattrs:all –sort:true 
–t:false   –p:16 –filter:"(&(objectclass=user)(!objectClass=computer))"
 
for more infos, see: 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2ba84826-90e7-44dc-a34c-1daf28a56172.mspx
 
 
 
The "They don't have dedicated hardware for most DC's and it is a real mare." 
argument doesn't really count => a demotion should typically not hurt the other 
apps on your DCs, that's what the /forcedemotion option was added for...  It's 
a different story, that the DC shouldn't host other apps, but it's certainly 
not a reason not to force-demote it. 
 
When you've checked the differences between the DCs, you'll likely feel more 
comfortable doing a forced demotion of the faulty DCs, a metadata cleanup in 
the domain, and then a re-promotion of the machines to DCs of your domain.  And 
fixing that user-profile for that one new user that you'd then have to 
re-create is not a big deal either :-) 
 
/Guido
 
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Dienstag, 14. März 2006 00:18
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Not a line from a song - "It has been too long since 
this machine replicated"

 
 
That's a shame.  But if that's the way it has to be, then that's the way it has 
to be.  You *might* want to suggest virtualization as a way to save hardware 
costs and still maintain somewhat dedicated small dc's.  They'll save on 
consulting costs in the long run if they do something similar AND fix the 
monitoring processes :) 
 
Demoting the DC's would still be my first choice in the road to recovery. It's 
not my gig, but I typically suggest it as a way to ensure that things are 
solid.  With the approach you're taking, you'll always have that smoldering 
fire to work with.  Dedicated hardware concerns? For the price of about an hour 
of the consultants time, they could likely come up with a desktop that could be 
used in the interim as a DC until the other one in the site can be rebuilt. 
Painful? Yes. The best thing long-term? In most situations, most definitely. 
 
In the end, it's your call along with the customer.  This is just my $0.04 
worth from a distance. 
 
Best of luck and all that. 
 
Al

 
On 3/13/06, Mark Parris <[EMAIL PROTECTED]> wrote:   
   
   
Why – Because they   want to. I have suggested the demotion approach. They 
don't have dedicated   hardware for most DC's and it is a real mare. 
   
 
   
During the failings   they have treated each DC effectively as a domain and 
each DC has objects that   are vital but not replicated so I cannot just 
flatten it – if I could I would.   
   
 
   
I think I found one   of the reasons for the failings – over 15gbs worth of 
System state backups and   i386 in the SYSVOL which caused the DC's to keel 
over. 
   
 
   
Mark
   
 
   
   
       
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 13 March 2006 21:20
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Not a line from   a song - "It has been too long since 
this machine   replicated"
   
   
 
   
   
I have to   ask: Why? Why bother taking that chance with that registry key vs. 
flattening   the DC and building new? To me, those DCs are suspect and should 
be shot   on site.  It's worth the extra effort and the hardware investment at 
this   point (it's really only one new server.  I'd be fine with a   desktop as 
a server if that's what it takes to get the AD back in shape;   until you could 
flatten and rebuild the existing server class hardware (big   assumption on my 
part)).  
   
   
 
   
   
Be sure   to address the issues that led to that kind of issue in the first 
place   prior to completing the fixes.  Otherwise, you'll be back.     
   
   
 
   
   
I also   have to ask: Are you working in one of the far reaches of my current 
employer   ;) ?
   
   
 
   
   

Al
 
   
   
On   3/13/06, Mark Parris <   [EMAIL PROTECTED]> wrote: 
   
   
Hello All,
   
This is for several beers at DEC   if you're there.
   
This week I am sorting out a   company whose AD has not fully replicated since 
July   2005!
   
They have 9 DC's All Windows   Server 2003 SP1 (Forest level 2003).
   
I have managed to most of get the   DC's talking to each other and I now have 
partial   replication, 
   
I have done this by setting the   registry key   Allow   Replication With 
Divergent and Corrupt Partner to 1 and I have   run   repadmin   
/removelingeringobjects ServerName ServerGUID DirectoryPartition   
(/advisory_mode ) on the server that is the PDC   emulator. 
   
I have three DC's which will not   replicate and I believe this is due to there 
being a password mismatch on the   DC Machine accounts so I will reset these 
tomorrow. 
   
Is there anything else I should be   aware of?
   
   
Mark
   
 
   

.+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§â²Ö«r¯zm§ÿðà  
šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà


PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

.+w֧B+v*
rz     Vryi˽箊



List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/