> Also, I believe in 2003, they've raised the TSL to 120 days > as a default.
Sorry, but no, we did not. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 8:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Also, I believe in 2003, they've raised the TSL to 120 days as a default. marcus c. oh .\core technologies\cox communications, inc. .\mvp\windows server systems\management [v] 404.847.6117 [c] 404.391.7097 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, March 23, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Assuming your DCs are all replicating fine within the TSL you are proprosing you should be fine. The idea behind the TSL is that the tombstoned objects get replicated to every DC in your forest so AD knows that an object has been deleted. If you, for instance, set the value to low, a tombstone will not make it across the forest and an object that is supposed to be dead has a possibility of being reanimated. I would keep the TLS low for only as long as needed. As for the cleanup, unfortunately yes, you will either need to offline defrag or demote and repromote to reclaim the disk space. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Wednesday, March 23, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Joe/Eric, I was able to use that script to convert to csv format. Another thing I did ahead of time was use CSVDE and export the entire OU in question. I exported the cn, whenCreated, whenChanged attributes and discovered more clues. This is NOT an AD problem as expected but the script is the real problem. On a few of occasions it deleted like 6000 or 8000 records at a time. I regress and take blame for the problem! :) While looking into this issue I've learned quite a bit. One thing I'm not sure about is helping clean up AD. Would it hurt to lower the Tombstone life from 60 day to 30 or even 15 days to clean up this up? Assuming I clean up the tombstoned records. Eric mentioned I would have to take the DC off-line to compact the database to reclaim space, does this have to be performed on each DC separately? The reason I ask is one of the DC's disk space is kind of a premium and to leave the ntds.dit file at almost 2 gig hurts when doing backups. I appreciate your help on this as I've learned quite a bit. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support ----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <ActiveDir@mail.activedir.org> Sent: Monday, March 21, 2005 1:49 PM Subject: RE: [ActiveDir] AD Database size questions. > ~Eric: > I don't believe ldifde knows how to look at deleted items. Also, this won't > give the csv format he is looking for. > > Steve: > If you download the latest copy of adfind, you will find a perl script in > the zip file with it. This perl script will take an adfind dump and convert > it to csv format for you. Script should be called adcsv.pl > > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman > Sent: Monday, March 21, 2005 1:43 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD Database size questions. > > I think this'll do it (no directory in front of me to test against) ldifde > -x -d "CN=Deleted objects,dc=domain,dc=com" -f output.ldf -l dn,objectclass > -s serverName > > csvde probably has similar syntax, but I don't have it nearby. > Csvde would perhaps be more handy for this because then you could > Excel/Access the data and see what it looks like. > > ~Eric > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield > Sent: Monday, March 21, 2005 10:09 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD Database size questions. > > Is there a way to use csvde to export just this information from AD? > I've > used this utility to export a lot of information is very handy when > troubleshooting things like this. Otherwise I'll parse the output file I > got from AdFind. > > Steve > > > ----- Original Message ----- > From: "Eric Fleischman" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org>; <ActiveDir@mail.activedir.org> > Sent: Monday, March 21, 2005 10:32 AM > Subject: RE: [ActiveDir] AD Database size questions. > > > No it would not, auth restoring just a bunch of regular 'ol objects > would > not cause lots of tombstones. > You have some sort of object creation/deletion situation going on. Can > we > see the list of tombstones? I'm probably just interested in attributes > dn > and objectclass and when they were deleted. > > More interesting is are more being created. So if you run this same test > in > a few days, how many tombstones are there then? If you have not many > more, > you had some strange condition that passed, that should probably be > understood, but at least you dont' have more growth. If there is a > considerable increase in #, then whatever it is is still happening. > > ~Eric > > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Steve Schofield > Sent: Mon 3/21/2005 8:15 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] AD Database size questions. > > > > I ran the tool over the weekend and piped out to a file. Adfind > reported > there were 413091 objects returned. That seems high considering the > number > of objects in my AD database. We did perform a few tests where we > deleted > 10,000k or so objects at a time but enought to cause over 400k objects > to be > deleted. > > Would doing an authoritative database restore cause the number of > deleted > objects to go high? This was performed about 3 weeks ago. When > reviewing > the last 1000 lines of the results the data looked like I would have > expected, just a few deletes here and there. > > Steve Schofield > > > > > > ----- Original Message ----- > From: "joe" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Friday, March 18, 2005 2:38 PM > Subject: RE: [ActiveDir] AD Database size questions. > > > > I would initially say take a peek at your deleted objects and see if > you > > have a ton of stuff in there. You can use ldp or adfind to do this. > Adfind > > is probably friendlier, you simply specify the -showdel option and > look > for > > objects with isdeleted=TRUE or look in the deleted objects container. > > > > Note that by default, you need to have admin rights to see into the > deleted > > objects container in Active Directory. > > > > Something like > > > > Adfind -b "cn=deleted objects,dc=domain,dc=com" -showdel > > > > Will dump all objects (and their attributes) of all tombstoned objects > in > > the domain.com nc. > > > > joe > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Schofield > > Sent: Friday, March 18, 2005 2:08 PM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] AD Database size questions. > > > > All the script does is either Adds users (a few at a time), updates > one > > attribute or deletes the user. As far as a lot of transaction are > > concerned, the system was designed to hit a sql database first and > determine > > what changes need to happen then go to AD and update information. > There > > aren't a lot of transactions per say against AD. Thanks for the > heads > up. > > > > Steve > > > > > > ----- Original Message ----- > > From: "Bernard, Aric" <[EMAIL PROTECTED]> > > To: <ActiveDir@mail.activedir.org> > > Sent: Friday, March 18, 2005 1:19 PM > > Subject: RE: [ActiveDir] AD Database size questions. > > > > > > Not knowing what your script does for sure, keep in mind that as > objects > > are deleted they are first 'tombstoned' before being purged. Therefore > > the space initially used by the object prior to being deleted is not > > completely available for reuse a portion of it will continue to be > > consumed by the tombstone object until the tombstone lifetime has > > expired an the object has purged. > > > > I had a customer that was testing scripts against their production AD > > and saw growth of the DIT to the tune of several GB over the course of > a > > week. Their script created 200,000 user/contact objects in an OU and > > then processed them in several different ways. After the completion > of > > the script, the results would be analyzed and then the objects would > be > > deleted for another try... > > > > Regards, > > > > Aric > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Schofield > > Sent: Friday, March 18, 2005 10:02 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] AD Database size questions. > > > > Hi, > > > > I'm not sure if this is a problem but something seems not exactly > right > > with > > the size of my AD database. AD has about 10,000 user id's and a few > > servers. The size of the AD database over the last few days has grown > > from > > 900 meg to 1.4 gig. We haven't added any a lot more objects to cause > > this > > type of growth. > > > > We do have a script that runs every 5 minutes that adds, updates, > > removes > > users that are used by a program that does LDAP look-ups. This is > about > > the > > only thing because it runs so often I can contribute to it but not > sure. > > There are no errors in the event log but the growth of 500 meg in a > few > > days > > concerns me. I looked around and didn't find much pertaining to this > > subject. Any thoughts, suggestions on determining whitespace in the > AD > > database? > > > > Steve Schofield > > [EMAIL PROTECTED] > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
