RE: [ActiveDir] Error in PDC Operations Master
Huh? I didn't get that email Jorge... Lucky I was scanning through the posts, I barely caught this post. I haven't seen admod not work for an undel, definitely get data to me, use the -exterr option to capture the DSID info too. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, June 02, 2005 10:56 AM To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs -> 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: >>Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site2 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 <--- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site1 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606
RE: [ActiveDir] Error in PDC Operations Master
Deji F:\DEV\cpp\ShrFlgs>adfind -schema -f ldapdisplayname=ridavailablepool systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=RID-Available-Pool,CN=Schema,CN=Configuration,DC=joe,DC=com >systemFlags: 16 1 Objects returned systemFlags of 16 breaks down to 0x10 - Indicates the object is a category 1 object. A category 1 object is a class or attribute that is included in the base schema included with the system. It would have to have 0x01 set in the system flags to prevent it from being replicated. Also here is a fairly useful KB http://support.microsoft.com/?kbid=305475 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 02, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Something that confuses me in this (and in RID allocation generally) is: Isn't the RIDavailablePool held by the RID master? Is the value replicated among DCs? If it's not, does a DC have to check with the RID master BEFORE it increments this value? (I assume that it would, but I am not sure, especially if the RID master is not available). Now, if you do an auth restore on a DC and you ask the DC to increment RIDAvailablePool, and that DC is NOT the RID master, AND the RID master is not available (for any reason), what happens then? IF the RID master is not avialble and you seize the role, how does the new role holder determine the current RIDAvailablePool? I am guessing that all of the above is moot and RIDAvailablePool is replicated in real-time among DCs. But . if it's not .. Say DCa is the RID Master and it says that RIDAvailablePool is currently at 91000. Say DCb is currently given 89001-89500, DCc is given 89501-9 and DCd is given 90001-90500. Say a disaster happened and we need to do an auth restore, but DCa is not recoverable. We take DCb, seize the role and did the restore. Would the RIDAvailablePool (according to DCb) now be equal 90001? Also, how does an out-of-band increase in RIDAvailablePool affect RIDPreviousAllocationPool on other DCs in the domain? Do they all now discard this pool and ask for a new batch from the new RID guy? Do they also immediately junk their current RIDAllocationPool and get new ones? Wish I understand the inner-workings of RID better. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto Sent: Thu 6/2/2005 7:55 AM To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs -> 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Me
RE: [ActiveDir] Error in PDC Operations Master
Hi, The max. available RIDs in each AD domain is 1.073.741.823. This is the upper value of the attribute "rIDAvailablePool" of the object "CN=RID Manager$,CN=System,DC=PARENT,DC=LAN". This attribute "manages" the blocks of RIDS that have NOT been assigned to DCs to create security principals. The "owner" (or in other words: the DC that manages this object) is the DC mentioned in the attribute "fSMORoleOwner". The object "CN=RID Manager$,...etc" IS REPLICATED to all DCs in the domain. This is important for other DCs if you need to transfer/seize the RID FSMO role to another DC. Imagine if it was not replicated and the original RID FSMO owner was down and dead. The new RID FSMO owner would never know what blocks of RIDs had been assigned to other DCs if a seizure was done. There is another way though, and that is if each block that had been assigned is known to each DC in the domain. The problem with this is that that is much more data than just the attribute "rIDAvailablePool" of the object mentioned earlier. Below each DC object (CN=W2K3R2SRVTRL01,OU=Domain Controllers,DC=PARENT,DC=LAN) there exist another object "CN=RID Set,CN=W2K3R2SRVTRL01,OU=Domain Controllers,DC=PARENT,DC=LAN". This object stores the info about the RID blocks that have been assigned to each DC. The attribute "rIDPreviousAllocationPool" (e.g. 15483357105186 -> upper value is 3605 and lower value is 3106) is the block of RIDs a DC is currently using for the creation of sec. princ. and IS NOT REPLICATED to other DCs. The attribute "rIDAllocationPool" (e.g. 17630840753686 -> upper value is 4105 and lower value is 3606) is the block of RIDs the DC will use next when the first block has been consumed and IS REPLICATED to other DCs. You might see that both attributes have the same value. When block of RIDs (rIDPreviousAllocationPool) is consumed for 50% the DC will ask another block and stores that in "rIDAllocationPool". When it is consumed for 100% the "rIDPreviousAllocationPool" gets the value of "rIDAllocationPool". The values are the same again and will differ when the current used block is consumed for 50%. You might think that the attribute "rIDNextRID" is the attribute that says which next RID will be consumed. You thought wrong as this is the LAST consumed RID by the DC. OK, I agree MS chose some strange names for the attributes. In my opinion they should have been called "rIDCurrentAllocationPool" "rIDNextAllocationPool" "rIDLastRID", but that is just an opinion! Have you ever wondered why you first need to target (connect to) the a new to be FSMO master when transfering, instead of pointing it out? When transfering a FSMO role you are not saying to the old FSMO "hey give your FSMO role away", no you are saying (after connecting to the new one) "hey new one, take ownership of the FSMO role". Under the hood you are triggering a OPERATIONAL ATTRIBUTE on the new to be FSMO role holder. The OPERATIONAL ATTRIBUTES that do this are: * becomeInfrastructureMaster * becomePdc * becomeSchemaMaster * becomeRidMaster * becomeDomainMaster With the command "dcdiag /v /test:ridmanager" on a DC you can see the following: # Testing server: Default-First-Site-Name\W2K3R2SRVTRL01 Starting test: RidManager * Available RID Pool for the Domain is 4106 to 1073741823 * w2k3r2srvtrl01.PARENT.LAN is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3606 to 4105 * rIDPreviousAllocationPool is 3106 to 3605 * rIDNextRID: 3358 . W2K3R2SRVTRL01 passed test RidManager # The info is the same as stored in the attributes I mentioned earlier The only time a DC (as I know of) throughs away its RID blocks is when you mandate it by writing to the operational attribute called "invalidateRidPool" or when a DC has been restored. After the DC is restored it does some special stuff, and one of them is writing to the operational attribute called "invalidateRidPool" and ask for a new RID block from the RID FSMO master. IF the RID FSMO master for some reason is NOT AVAILABLE then the DC asking for a new RID block will generate event id 16650. For more info on this see "Event ID 16650: The account-identifier allocator failed to initialize in Windows 2000 and in Windows Server 2003" (http://support.microsoft.com/?kbid=839879) For more info on the RID attributes see "Description of RID Attributes in Active Directory" (http://support.microsoft.com/?kbid=305475) I posted some findings earlier, see those also as an example I hope I have described clearly how this works Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.actived
RE: [ActiveDir] Error in PDC Operations Master
Something that confuses me in this (and in RID allocation generally) is: Isn't the RIDavailablePool held by the RID master? Is the value replicated among DCs? If it's not, does a DC have to check with the RID master BEFORE it increments this value? (I assume that it would, but I am not sure, especially if the RID master is not available). Now, if you do an auth restore on a DC and you ask the DC to increment RIDAvailablePool, and that DC is NOT the RID master, AND the RID master is not available (for any reason), what happens then? IF the RID master is not avialble and you seize the role, how does the new role holder determine the current RIDAvailablePool? I am guessing that all of the above is moot and RIDAvailablePool is replicated in real-time among DCs. But . if it's not .. Say DCa is the RID Master and it says that RIDAvailablePool is currently at 91000. Say DCb is currently given 89001-89500, DCc is given 89501-9 and DCd is given 90001-90500. Say a disaster happened and we need to do an auth restore, but DCa is not recoverable. We take DCb, seize the role and did the restore. Would the RIDAvailablePool (according to DCb) now be equal 90001? Also, how does an out-of-band increase in RIDAvailablePool affect RIDPreviousAllocationPool on other DCs in the domain? Do they all now discard this pool and ask for a new batch from the new RID guy? Do they also immediately junk their current RIDAllocationPool and get new ones? Wish I understand the inner-workings of RID better. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto Sent: Thu 6/2/2005 7:55 AM To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs -> 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: >>Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happe
RE: [ActiveDir] Error in PDC Operations Master
Appologies accepted! No hard feelings! I also used the same environment to test the ADMOD -undel option to undelete objects and it did not work (already mailed Joe about it). However I must mentioned both the RID thing and the ADMOD thing were tested on W2K3-R2! Keeping my earlier statement in mind regarding the need to manually increase the availableridpool on the new RID master after the seizure, I'm still thinking about the value for the manual increase (like some kind of formula)... Factors/variables that I believe have influence on the size of the value: * Pool of possible requested RIDs -> 500 * Number of DCs in domain or better yet the number of DCs that are used for security principal creation (the DCs that use RIDs) * ? If I come up with some formula I will post that on the list Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: donderdag 2 juni 2005 16:24 To: 'Send - AD mailing list' Subject: RE: [ActiveDir] Error in PDC Operations Master Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: >>Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site2 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 <--- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site1 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: rIDAvailablePool: 4611686014132427214 03: rIDAvailablePool: 4611686014132427214 ### -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 31 mei 2005 10:31 To: ActiveDir@mail.activedir.org; S
RE: [ActiveDir] Error in PDC Operations Master
Tested this myself and reached the same conclusion you did. I've since done some digging and found a number of references to the 1 million increase, all of which were in documents relating to Windows NT5. I assume my memory has yet again failed me :) since I can't even find any private up-to-date material to validate it. PS - Ironically, I did find a document that I wrote for a seminar just after Windows 2000's release where I make a recommendation regarding increasing the RID pool following role seizure ... maybe I knew it at one point or another ... if I did, it probably got replaced by some other piece of useless information since I believe my brain reached capacity some years back. Anyways, my apologies for causing you to waste so much time testing this, it seems this was removed quite some time ago :( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 9:09 AM To: ActiveDir@mail.activedir.org; Send - AD mailing list; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: >>Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site2 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 <--- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site1 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: rIDAvailablePool: 4611686014132427214 03: rIDAvailablePool: 4611686014132427214 ### -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 31 mei 2005 10:31 To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Beha
RE: [ActiveDir] Error in PDC Operations Master
Hi Dean, As I mentioned earlier I did not know (never seen it before) about the automatic increase of the ridavailablepool value with 1 million after the rid seizure. I got curious and I built a small environment. I did not see the ridpool got increased with 1 million after the seizure. I also got different results depending on where the NEW rid master is located (SITE WISE). See below. After the seizure the new RID master increased its known pool with 500. Personnally I think that's not enoough... Especially in a large environment During the seizure the new to be RID master reports: >>Searching for highest rid pool in domain Can you elaborate more on the automatic increase of the availableridpool attribute and when that happens? Cheers #JORGE# # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site2 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03:rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: replication forced 03: replication forced 02: rIDAvailablePool: 4611686014132426214 <--- (this value would not, even after forcing replication!) 1073741823 5606 03: rIDAvailablePool: 4611686014132424714 1073741823 4106 02: 3001 users created 02: rIDAvailablePool: 4611686014132427714 (this value only changes when the value of 03 was higher than the previous value of 02!) 03: rIDAvailablePool: 4611686014132427714 # DCs: 01, 02, 03 01: site1 -> original rid master 02: site1 03: site1 -> new rid master after seizing 01: rIDAvailablePool: 4611686014132423214 02: rIDAvailablePool: 4611686014132423214 03: rIDAvailablePool: 4611686014132423214 03: disabled inbound REPL 01: 3000 users created 01: rIDAvailablePool: 4611686014132426214 02: rIDAvailablePool: 4611686014132426214 1073741823 5606 03: rIDAvailablePool: 4611686014132423214 1073741823 2606 01: down 03: enable inbound REPL 03: seized rid master 03: rIDAvailablePool: 4611686014132423714 (increased with 500) 1073741823 3106 02: 1000 users created 02: rIDAvailablePool: 4611686014132427214 03: rIDAvailablePool: 4611686014132427214 ### -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: dinsdag 31 mei 2005 10:31 To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto
RE: [ActiveDir] Error in PDC Operations Master
As I mentioned, USN rollback is quite difficult to detect ('quite' scales
exponentially with the complexity and size of the directory).
As for rebuilding (and assuming you have granted users and groups permission
to use various resources around the domain), you may want to scrap that
approach.
Assuming the information you've provided is both accurate and complete;
removal of the PDC, role seizure, metadata cleanup and re-introduction of
the DC serves to provide a working solution ... really, I see no need to
(nor would I recommend that you) start again.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, May 31, 2005 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Error in PDC Operations Master
Ok thanks,
I found my original issue was that I had restored my PDC to a ghost image
from the day before because of a windows update that was causing the machine
to reboot like the LSASS virus. Ever since I did that restore my domain has
not properly replicated, although looking at accounts in my OU's where I've
added many new accounts and made hundreds of changes, it appears to be in
sync.
I'm contemplating rebuilding the entire domain, as I have scripts that will
create all the accounts in a matter of minutes, minus passwords, I wonder if
there's a way to get those out of the current accounts so I can re-sync them
up also.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, May 31, 2005 9:20 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
I would strongly advise against that, restoring an AD DC to an earlier point
in time without its knowledge causes an issue known as USN rollback which is
difficult to detect, manifests odd symptoms and may cause more problems than
it resolves.
The role related approaches posted so far are, IMHO, the better next-step.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, May 31, 2005 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Error in PDC Operations Master
I also have Ghost Images of my servers from the day before my replication
stopped. What do you think of restoring back to those images and then
restoring 1 of my active directory backups? Because were a university, this
is normally the time of year I reset passwords, so I could get away with
doing a master reset of all passwords.
Thanks,
--
Matt Brown [EMAIL PROTECTED]
Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, May 31, 2005 5:50 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Error in PDC Operations Master
It certainly is finite, everything I have, however, indicates that RID
strength is ~30 bits equating to ~1 billion per domain. I've had a brief
look elsewhere and can find no reference to other constraining factors
though that's not to say there aren't any since this most certainly isn't a
scenario I've personally encountered.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, May 31, 2005 5:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Error in PDC Operations Master
As a by the way:
I remember attending an Active Directory session last year at TechED
Amsterdam, where it was stated that the RID pools were not unlimited and it
was a finite number, somthing like 143 million RIDS per domain, now if it
increase by 1 million everytime automatically plus you have a lot of objects
in your AD 143Million does not seem that many.
The session was a John Craddock session, on AD as part of the pre-conference
programme.
Can anyone confirm this number and confirm the matter?
Regards
Mark
-Original Message-
From: Jorge de Almeida Pinto <[EMAIL PROTECTED]>
Date: Tue, 31 May 2005 10:31:02
To:ActiveDir@mail.activedir.org, Send - AD mailing list
<[EMAIL PROTECTED]>
Subject: RE: [ActiveDir] Error in PDC Operations Master
Hi Dean,
You are right... That 1 million is enou
RE: [ActiveDir] Error in PDC Operations Master
Ok thanks, I found my original issue was that I had restored my PDC to a ghost image from the day before because of a windows update that was causing the machine to reboot like the LSASS virus. Ever since I did that restore my domain has not properly replicated, although looking at accounts in my OU's where I've added many new accounts and made hundreds of changes, it appears to be in sync. I'm contemplating rebuilding the entire domain, as I have scripts that will create all the accounts in a matter of minutes, minus passwords, I wonder if there's a way to get those out of the current accounts so I can re-sync them up also. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 9:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From:
RE: [ActiveDir] Error in PDC Operations Master
I would strongly advise against that, restoring an AD DC to an earlier point in time without its knowledge causes an issue known as USN rollback which is difficult to detect, manifests odd symptoms and may cause more problems than it resolves. The role related approaches posted so far are, IMHO, the better next-step. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, May 31, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://mset
RE: [ActiveDir] Error in PDC Operations Master
I also have Ghost Images of my servers from the day before my replication stopped. What do you think of restoring back to those images and then restoring 1 of my active directory backups? Because were a university, this is normally the time of year I reset passwords, so I could get away with doing a master reset of all passwords. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, May 31, 2005 5:50 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PR
RE: [ActiveDir] Error in PDC Operations Master
It certainly is finite, everything I have, however, indicates that RID strength is ~30 bits equating to ~1 billion per domain. I've had a brief look elsewhere and can find no reference to other constraining factors though that's not to say there aren't any since this most certainly isn't a scenario I've personally encountered. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 31, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM
RE: [ActiveDir] Error in PDC Operations Master
To launch an attack on this the attacker must be able to create security principals. Although it is a very large number ways to mitigate this is a good implementation of delegation of control and NTDS quotas Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: dinsdag 31 mei 2005 12:02 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master Thanks Neil, I understand the concepts of seizure but if was the implications of 1 million RID increases that were of concern but as the number 1073,741,823 not 143,000,000 it does not seem that much of an issue - let's hope nobody can launch a DoS to increase a domains RID pool. Mark -Original Message- From: "Ruston, Neil" <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:18:23 To:"'ActiveDir@mail.activedir.org'" Subject: RE: [ActiveDir] Error in PDC Operations Master The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PR
Re: [ActiveDir] Error in PDC Operations Master
Thanks Neil, I understand the concepts of seizure but if was the implications of 1 million RID increases that were of concern but as the number 1073,741,823 not 143,000,000 it does not seem that much of an issue - let's hope nobody can launch a DoS to increase a domains RID pool. Mark -Original Message- From: "Ruston, Neil" <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:18:23 To:"'ActiveDir@mail.activedir.org'" Subject: RE: [ActiveDir] Error in PDC Operations Master The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: l
RE: [ActiveDir] Error in PDC Operations Master
The following: http://support.microsoft.com/?kbid=305475 appears to suggest the pool size is considerably larger. Bear in mind also, Mark, that seizure of the PDC role should not / will not be performed on a regular basis and the 1 million increment will not therefore, represent an issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 31 May 2005 10:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error in PDC Operations Master As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> S
Re: [ActiveDir] Error in PDC Operations Master
As a by the way: I remember attending an Active Directory session last year at TechED Amsterdam, where it was stated that the RID pools were not unlimited and it was a finite number, somthing like 143 million RIDS per domain, now if it increase by 1 million everytime automatically plus you have a lot of objects in your AD 143Million does not seem that many. The session was a John Craddock session, on AD as part of the pre-conference programme. Can anyone confirm this number and confirm the matter? Regards Mark -Original Message- From: Jorge de Almeida Pinto <[EMAIL PROTECTED]> Date: Tue, 31 May 2005 10:31:02 To:ActiveDir@mail.activedir.org, Send - AD mailing list <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Error in PDC Operations Master Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifet
RE: [ActiveDir] Error in PDC Operations Master
Hi Dean, You are right... That 1 million is enough. I did not know that when seizing the RID master the ridavailablepool is increased automatically by 1 million. Thanks for the info and sorry for the wrong info about the need to manually increase the RID available pool. Is the automatic increased somehow depended on another variable? (like number of DCs and/or number of days or something else) Or is it a fixed value? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: dinsdag 31 mei 2005 1:15 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Em
RE: [ActiveDir] Error in PDC Operations Master
It's already increased by 1 mil. (IIRC) as part of the seizure process, do you feel this is insufficient even when taking the replication outage into account? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure
RE: [ActiveDir] Error in PDC Operations Master
Because you are seizing and not transfering and as the NEW Rid Manager object may not be up-to-date on the remaining DCs (because replication halted/stopped for some reason) you may want to increase the Ridavailablepool attribute (on the Rid Manager object in the domain) for the NEW RID MANAGER FSMO (just to be sure) Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: vrijdag 27 mei 2005 22:53 To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it
RE: [ActiveDir] Error in PDC Operations Master
Yes, but a fleeting one in most cases. You'll need to seize the roles assigned to the errant DC. In terms of who owns the roles, you are only interested in the perspective of the other DCs. The PDC FSMO serves many purposes and is indeed an important DC but even it can tolerate downtime. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eas
RE: [ActiveDir] Error in PDC Operations Master
When you are complete with the /forceremoval of this errant DC and have performed the metadata cleanup on one of the other DC's, you should be able to seize the PDC Emulator role using the GUI or NTDSUtil. After that's all done, just ensure that the changes have replicated around...then you can put the PDC on another server if you like (via a transfer of the role). I hope that helps! Have a great night / weekend! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. Al
RE: [ActiveDir] Error in PDC Operations Master
Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Oper
RE: [ActiveDir] Error in PDC Operations Master
That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. ...
RE: [ActiveDir] Error in PDC Operations Master
1. Number of DCs/Domain/Sites 3 Sites -> Site A has DC1 & DC2 -> Site B DC3 -> Site C DC4 2. OS version of DCs -> All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? -> According to DC diag they all passed replications -> They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck ###
RE: [ActiveDir] Error in PDC Operations Master
It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above from DC2 it shows -> the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx
RE: [ActiveDir] Error in PDC Operations Master
Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... -> from DC1 It shows ERROR for RID & PDC, & shows DC1 in Infrastructure -> from DC2 it shows ERROR for PDC, & shows DC2 for RID & DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the "netdom query fsmo": -> from DC1 it shows the roles as it should like above -> from DC2 it shows the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about "Target Principal Name Incorrect" After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about "Target Principal Name Incorrect" but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 8:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
What does the machine question report within its event log? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Error in PDC Operations Master
My Dcdiag output shows the following error: # Starting test: KnowsOfRoleHolders Warning: STF2 is the PDC Owner, but is not responding to DS RPC Bind. [STF2] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: STF2 is the PDC Owner, but is not responding to LDAP Bind. Warning: STF2 is the Rid Owner, but is not responding to DS RPC Bind. Warning: STF2 is the Rid Owner, but is not responding to LDAP Bind. . STF1 failed test KnowsOfRoleHolders Starting test: RidManager . STF1 failed test RidManager Starting test: frsevent There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. . STF1 failed test frsevent Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. . domain failed test FsmoCheck # Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Error in PDC Operations Master Hi, My PDC just started acting up and is showing an error in the PDC box under Operations Master. The only recent change that I can think of to the server was I uninstalled & re-installed the Certificate Authority 3 or 4 times, which was installed on the PDC. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
