This was a post I read at the beginning of the month - anything look familiar - it's by Brett, so I guess he knows!!!!
It's all on the ActiveDir Org Archive - /SNIP/ ----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, May 03, 2005 7:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] best practice? Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM server. I don't know about members, just adding knowledge about DCs, as I don't think I've ever mentioned it here before. Cheers, -Brett Shirley [msft] as is, caveat emtpor, status quo, etc -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 04, 2005 6:30 AM To: ActiveDir@mail.activedir.org Cc: Joseph L. Casale Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) "That is soo not right." (Mean Girls movie reference, at Halloween party) You should take a look at this: http://support.microsoft.com/?kbid=885875 I sincerely hope you don't have USN rollback or divergent replicas, but I think it is likely if you are actually imaging dcpromo'd DCs. Just curious, for imaging what are you using? Ghost? Are you just restoring images? Are you using the images to build additional DCs for load? In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from replicating if it detects such a condition (but it is not always guaranteed it will be able to detect the condition), to attempt to contain the damage. Also note, b/c I'm not sure the KB is clear about divergent replicas ... just because things are replicating currently, or there are no apparent current USN rollbacks ... does NOT mean you weren't once in the past afflicted with USN rollback, and now you've gotten past it, and instead are simply aflicted with divergent replicas (worse than USN rollback in ways). You might try to use (_I thinK_) dsastat to run through all the objects on your DCs in a pair-wise fashion to find differences. Cheers, Brett Shirley [msft] Building 7 Garage Door Operator, so what do I know ... This posting is provided "AS IS" with no warranties, and confers no rights. On Tue, 3 May 2005, Joseph L. Casale wrote: Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms built in to get it back up to par... jlc /SNIP/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 02 June 2005 19:39 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC's not communicating with each other The logs don't really tell much because they are so full they are only holding 2 day's worth of data. I keep getting repeats of the following Events in my Directory Services Event Log: Event ID: 1865 "The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site..." Event ID: 1925 "The attempt to establish a replication link for the following writable directory partition failed. ..." -- Event ID: 1566 "All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable...." -- Event ID 1311: "The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. Directory partition: CN=Configuration,DC=mydc,DC=mydomain,DC=edu There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. -- All of the Domain controllers are still allowing users to log on, which is why I'm limping through the last week and a half of the Quarter. I believe the problem occurred because I restored my PDC from a ghost image of the day before at the end of march because of a problem the server had with a windows update that I couldn't get rid of. And ever since replication seems to have been working but my guess is it's only been working 1 direction. My PDC receives updates from another DC in the site and that has worked. But replication from my PDC back to that DC has not. Although this last week replication has just given up all together. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, June 01, 2005 12:03 PM To: 'Matt Brown '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] DC's not communicating with each other Does the PDC FSMO or the other DCs have any events with errors can possibly tell more about this issue? #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 6/1/2005 6:39 PM Subject: [ActiveDir] DC's not communicating with each other I've talked about this a little before, but I dug in a littler further and found more info. I have 4 domain controllers in 1 domain. When I'm on one of the 3 DC's that is not the PDC and I try to connect to the PDC it tells me I'm not authorized. I get this when trying to connect to the PDC's AD users and computers, DNS, or even a file share. I can however connect to any of these services using the IP address. This is strange because all DC's can ping each other and resolve the IP addresses from the names just fine and I don't seem to be having any DNS issues. The 3 DC's (not the PDC) can connect to each other just fine. I'm pretty sure I'm going to need to remove 1 or more of the DC's from the domain and re-introduce them. I'm just trying to figure out if I should remove the PDC or remove the other 3 DCs. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
