Yep, we ran into this stuff bigtime ... In our testenvironment :-) testing forest recovery.
- For W2K/XP, the default computer account password change period is every 30 days.
- If a Windows NT 4.0 based domain trusts a Windows 2000 based domain, the trust password is changed every seven days by default. Note that when you reset the trust password manually, they automagically reset again within a day (plus a random interval).
- In the old NT4 days BDC LSA secrets were reset every 7 days.
Cheers!
John
-----Original Message-----
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 21 november 2003 21:46
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Part of domain offline
Hey Jason - are you saying ALL DCs of one of your domain are down? I.e.
there is NO DC that would refresh the trust of the domains to your other domains?
I'd have to look it up, but I think you're going to run into a trust-issue before the default tombstone lifetime. The secure-channel between your domain and the forest-root could be broken (I believe they have to refresh every 7 days - not like the 2000 workstations, which refresh every 30 days now). Nothing unfixable, but you may have to run NLTEST /SC_RESET or something similar.
/SC_RESET is usually used to reset the secure channel between domain members and a DC - so you may need something else...
Anybody ever ran into this?
/Guido
-----Original Message-----
From: John Reijnders [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 20. November 2003 08:02
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Part of domain offline
Joe is correct ... Another important thing to notice is the fact that with W2000 SP3 a new feature can be enabled, namely "Strict replication". Having this feature enabled lessens the risks caused by DCs that have not replicated for some time. The risk is lessened because of the fact that the spread of lingering objects is prevented.
Cheers!
John
-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]]
Sent: donderdag 20 november 2003 3:21
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Part of domain offline
It depends on your tombstone lifetime. If you have a default forest the time is 60 days so you want to be offline less than that.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Jason Benway
Sent: Wednesday, November 19, 2003 1:46 PM
To: '[EMAIL PROTECTED]'
We have multiple domains (xwy.com and abc.com,etc.com) in our win2k AD forest. One of the domains has been disconnect from the rest of the forest of a week now. How long before the rest of the forest writes the missing domain off? I thought if a domain or DC was offline for too long you had to rebuild it because it couldn't re-sync with the rest of the forest.
jb
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
