BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but
no you do not have an option to choose.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim
*Sent:* Monday, December 05, 2005 7:38 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Ntds.dit file corruption
BDC....
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Carpenter Robert A Contr WROCI/Enterprise IT
*Sent:* Monday, December 05, 2005 5:33 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Ntds.dit file corruption
Novell.....
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of
*Medeiros, Jose
*Sent:* Monday, December 05, 2005 11:24 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Ntds.dit file corruption
I was not aware that Microsoft had incorporated such a feature in
AD 2003. I know for a fact that Microsoft did not have this
feature when AD 2000 was first released because I mentioned it to
several Microsoft AD & premier support specialists and they each
confirmed it was not available ( However it may have been added in
a service pack ).
I would love to know how to enable a read only DC. I think that is
a great idea, I wonder who thought of it. :-)
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of *Phil
Renouf
*Sent:* Monday, December 05, 2005 11:04 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Ntds.dit file corruption
Will Read Only DC's take care of this? I don't know much about
them yet, but it makes sense that if the copy of the dit that
a DC has is RO that it won't try to replicate that anywhere
and would only be the recipient of replication. Anyone with
more knowledge about how RO DC's will work to comment on that?
Phil
On 12/5/05, *Medeiros, Jose* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Well at least the corruption occurred on just a single DC.
One thing that has bugged me about Active Directory is not
being able to select if you want a DC in a remote office
to not have the ability to replicate back in a large
enterprise environment. Since most remote offices only
have a few people at the location and a DC is usually
placed for improvised logon and authentication time, many
companies will either use a very low end server or a very
old decommissioned one from their production data center (
Which is probably close to useable life ). I am always
concerned that once the NTDS.DIT file becomes corrupt it
will replicate the corruption to the other DC's in the
Forrest.
Maybe I am just being a worry wort and this really is not
an issue.
Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL
-----Original Message-----
From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
[mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>]On Behalf Of
Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, December 05, 2005 8:53 AM
To: ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
Subject: Re: [ActiveDir] Ntds.dit file corruption
I did? :-) I think I still said all I know is what the
poster said :-)
I think I need a course in event log reading because even
with the logs,
and the default size of the logs, I still don't see a
smoking gun. The
directory services one is filled with events 'post' blow up.
What is interesting is that it seems to me big server land
goes .. oh
yeah... ntds.dit corruption... and sbsland freaks
out. Either we do
indeed need to ensure we have a secondary DC or we need to
park a second
copy of a system state offsite [say at the vap/var]
Brett Shirley wrote:
> She replied offline, very likely a single bit flip,
tragedy, they aren't
> one release later (Longhorn), where this would've
probably been
> non-disruptively handled, logged, and possibly self-healed:
> http://blogs.technet.com/efleis/archive/2005/01.aspx
>
> Anyway, this kind of thing is usually hardware ...
>
> While there are much better disk sub-system testers, one
that is freely
> available to any box with Exchange is jetstress. You
might give that a
> try. If you can reproduce the event / error with
jetstress I would not
> use that box in production.
>
> If you do reproduce the issue several times (several
times is key, as you
> want a trend before you start playing the variable
game), some things
> you might vary (one at a time):
>
> - Try making sure you have the latest driver and
motherboard / controller
> firmware. Then see if you can reproduce.
>
> - Try a different RAID configuration, such as
RAID1/RAID1+0 if you're on
> RAID5.
>
> - Try swapping out the hard drives, one at a time.
>
> - Adding the jetstress files to the exclude list in the
Anti-Virus
> software. (A low probablility, I've never heard of
Anit-Virus causing this
> paticular type of error, and I can't imagine the mistake
an anti-virus
> product would have to have to cause this side effect)
>
> - If you can reproduce it several times, you could
followup with Dell.
> Good luck.
>
> I'm not sure if I answered your question ...
>
> Cheers,
> BrettSh
>
>
> On Sun, 4 Dec 2005, Eric Fleischman wrote:
>
>
>> Going back to the original post, I'm not sure I fully
understand the
>> problem yet. Susan, can you define "ntds.dit file
corruption" for us?
>> What sort of corruption? What errors/events lead you to
believe this?
>> Specifically, I'm interested in errors from NTDS ISAM
or ESE if you
>> have any.
>>
>>
>>
>> ________________________________
>>
>> From: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> on behalf of
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
>> Sent: Sat 12/3/2005 10:58 PM
>> To: ActiveDir@mail.activedir.org
<mailto:ActiveDir@mail.activedir.org>
>> Subject: [ActiveDir] Ntds.dit file corruption
>>
>>
>>
>> SBS box [with Windows 2003 sp1 since September]
>>
>> RE: [ActiveDir] Database Corruption:
>>
http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html
>>
>> We have a SBS 2003 sp1 box with a corrupt ntds.dit that
the Consultant
>> and PSS have been banging on. Could not get the
services back running,
>> changed the RPC service to local system and some
service came back up [I
>> don't have all the details but the consultant opened a
support case of
>> SRX051202605433].
>>
>> Bottom line they are about going to give up and start a
restore but
>> before they do that I'd like to get the view of the AD
gods and
>> goddesses around here. From all that I've seen, read,
seen in the SBS
>> newsgroup, the corruption of ntds.dit is rare to nil
and an underlying
>> cause is hardware issues [raid, disk subsystem]. This
doesn't just
>> happen.
>>
>> The VAP asked if not properly excluding the ad
databases from the a/v
>> would cause this/trigger this and my expectation is
'no', given that I
>> doubt the majority of us in SBSland properly set up
exclusions
>> Virus scanning recommendations on a Windows 2000 or on
a Windows Server
>> 2003 domain controller:
>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;822158
>>
>> If this were my hardware and box, I'd be putting this
sucker on the
>> operating table and getting an autopsy before putting
it back online.
>>
>> Are we right in being paranoid now about this
hardware? For you guys in
>> big server land you'd just slide over another box into
that server role.
>>
>> ---------------------------------------
>> Stupid question alert....
>>
>> Okay so we know that having a secondary/additional
domain controller is
>> a good thing even in SBSland...but question.... many
times the second
>> server in SBSland is a terminal server box because we
do not support TS
>> in app mode on our PDCs. So we've established that
having a domain
>> controller and a terminal server is a security issue
[see Windows
>> Security resource kit, NIST Terminal services hardening
guide, etc
>> etc....] If our second server is a member server
handing out TS
>> externally, should that be a candidate for the
additional DC? Are the
>> issues of TS on a DC ... true for 'any' DC? Would it
be better than to
>> Vserver/VPC a Win2k3 inside a workstation in the
network if a third
>> server box was not feasible?
>>
>> List info : http://www.activedir.org/List.aspx
<http://www.activedir.org/List.aspx>
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
<http://www.mail-archive.com/activedir%40mail.activedir.org/>
>>
>>
>>
>>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
<http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
<http://www.mail-archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
<http://www.activedir.org/ListFAQ.aspx>
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
