Thanks!
I'm not as bad off as I thought. I do most of
that. Just need to look further into the filelinks, lost and found and a
couple of others.
Bob
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Posted At: Monday, November 28, 2005 4:45 PM
Posted To: ActiveDirectory
Conversation: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
Heh. I don't think one exists.
Items off the top of my head that need to be cleaned
up
o Inactive users (temp users and/or
turnover)
o Inactive computers
o Inactive groups
o Group memberships of groups that are still active but
contain members that shouldn't have access
o Unused or unresolvable FSPs
o Unused filelinks
o Unused contacts
o
Objects in lost and found (all NCs, even config)o Conflict (CNF) objects
o Unused
trusts
o Unused
OUs/Containers
o Unused Shares/Printers that were manually created
outside of the computer object
o Unused GPOS (including ipsec gunk that isn't being
used)
o Crud hanging around from failed DC Demotions (FRS
objects, site objects, etc)
o Make sure DNS objects are being scavenged
out
o Unused site objects
o Unused subnet objects (this also should include
collapsing subnets if possible, say 2 24 bit subnets for same site that could be
set iup as a 23 bit subnet)
All of these
pretty much have possible issues with them in terms of when you might like to
delete or if it is even safe to delete. Something that should be simple would be
users or computers yet they aren't. Exchange can really confuse whether or not a
userid is truly needed in the case of resource mailboxes. Computer accounts
could be for a cluster or a PC that is on the other side of a VPN so doesn't
update anything in AD, etc.
When I was an ops guy I would regularly just fish around
the directory looking for things to get rid of. I might spend a day looking at
all of the trusts and delete 10, 20 or 100 of them because the NT domains were
migrated in a long while back and someone forgot to tell the Enterprise Admins.
I would run oldcmp to look for old computers and users and try to clean them up.
I can't even guess how much that tool has helped folks with cleaning up. Groups
was tough because you never really knew if they were used, you could make them
into DLs which might help but some apps use them for security but don't use them
as NT Security so being a DL has no bearing on whether they work or not. Group
memberships is even tougher so you have to require the group or resource owner
to "certify" the membership on regular say quarterly periods and make them
responsible for anyone in the group who shouldn't be.
Basically without this occasional pruning AD becomes like
your closet or garage, you just stack things up in there as needed and then
forget about them until you stumble over them looking for something else.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ActiveDirectory
Sent: Monday, November 28, 2005 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
I will admin to being one of those
Admins.
Can you recommend a good book that shows a clean up
best practices for all those items that require manual
cleanup?
Thanks!
Bob
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Posted At: Monday, November 28, 2005 3:10 PM
Posted To: ActiveDirectory
Conversation: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
They don't age out. You need to delete them. MS cleans up
very little in the directory automatically. Actually I was having an offlist
conversation with one of my MS friends about this topic in regards to the
previous FSP question. When deleting them it isn't too much impact, however,
when they get purged out after the tombstone expires you may find your DCs
chugging away if you have lots. I have seen hundreds of thousands of the
filelinks in a directory before eating up tremendous space.
Personally I would hope the AD admins are doing a good job
cleaning things up but for all practical purposes, most places aren't cleaning
up and have no clue that they should be or that they need to be. The hard part,
when SHOULD the system automatically delete something. It comes down it being
able to identify without a shadow of a doubt that the object isn't needed (say
computer objects, FSP, etc) or could be perfectly reconstituted if necessary in
the event of a bad delete.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Monday, November 28, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
Thanks for info the joe and
Guido,
Because of our politics where I work,
modifiying 40000 workstations is not that easy. Changing 20 DCs on the other
hand is a walk in the park.
If I do not remove all of the filelinks
manually, aren't they going to age out automatically after 60 days?
Thanks
Y
From: Grillenmeier, Guido
Sent: Mon 28/11/2005 11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
nope, no known impact (unless you have specifically
deployed an app that makes use of this service - none of the MS apps do, which
is why the service is disabled by default in Win2003).
however, if you want to make sure, why don't you just
reverse your disabling process: first disable all clients, then disable the
service on the DCs.
Don't forget to cleanup the records underneath your
domain's System\FileLinks\ObjectMoveTable and System\FileLinks\VolumeTable
containers as these will surely contain a lot of garbage.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Montag, 28. November 2005 17:40
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling "Distributed Link Tracking Server" on domain Controllers
As anyone found any issues in
disabling the "distributed link tracking server" on windows 2000 server
domain controllers?
I would like to take a two step approach in disabling this useless
service. First on the DCs and them on all workstations. I was just
wondering if there would be an impact on the clients seeing that cannot
communicate with the server.
Thanks
Yves