I think the topic shifted a little, specifically it shifted from the corruption aspect and into the concept of read only DCs.
The read only DCs really have no bearing on directory corruption. I haven't seen details on "what kind" of corruption and how it was detected but if it is real corruption that is ESE level and not much AD can do about it but ESE can do things about it like the single bit correction he pointed out. Anyway, I don't expect RODCs to be a big hit for SBS deployments. ;o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 06, 2005 1:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption True, but right now, today, we have what we have. From what I'm hearing the corruption won't be replicated, but a longer term solution won't be in play until Longhorn/Vista. Medeiros, Jose wrote: > Hi Susan, > > With all do respect, I think you missed the point. The concept of having a read only DC is similar to a BDC since a BDC is only has a read only copy of the PDC's database. In some situations you may want a read only DC at a small remote office. Which would help reduce replication traffic. > > Also most technologies are built on past concepts and are hierarchical. Understanding one concept helps you to understand the logic in another. > > Peace! > > > Sincerely, > Jose Medeiros > ADP | National Account Services > ProBusiness Division | Information Services > 925.737.7967 | 408-449-6621 CELL > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, > CPA aka Ebitz - SBS Rocks [MVP] > Sent: Tuesday, December 06, 2005 9:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Ntds.dit file corruption > > > "Additional Domain controller" > BDC is a nt4 concept and in my book NT4 is dead ;-) > > Medeiros, Jose wrote: > >> BDC.. Yes and no.. Yes it is read only copy of the PDC's database, but >> no you do not have an option to choose. >> >> Sincerely, >> Jose Medeiros >> ADP | National Account Services >> ProBusiness Division | Information Services >> 925.737.7967 | 408-449-6621 CELL >> >> >> -----Original Message----- >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of *Sullivan Tim >> *Sent:* Monday, December 05, 2005 7:38 PM >> *To:* ActiveDir@mail.activedir.org >> *Subject:* RE: [ActiveDir] Ntds.dit file corruption >> >> BDC.... >> >> ------------------------------------------------------------------------ >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] *On Behalf Of >> *Carpenter Robert A Contr WROCI/Enterprise IT >> *Sent:* Monday, December 05, 2005 5:33 PM >> *To:* ActiveDir@mail.activedir.org >> *Subject:* RE: [ActiveDir] Ntds.dit file corruption >> >> Novell..... >> >> ------------------------------------------------------------------------ >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] *On Behalf Of >> *Medeiros, Jose >> *Sent:* Monday, December 05, 2005 11:24 AM >> *To:* ActiveDir@mail.activedir.org >> *Subject:* RE: [ActiveDir] Ntds.dit file corruption >> >> I was not aware that Microsoft had incorporated such a feature in >> AD 2003. I know for a fact that Microsoft did not have this >> feature when AD 2000 was first released because I mentioned it to >> several Microsoft AD & premier support specialists and they each >> confirmed it was not available ( However it may have been added in >> a service pack ). >> >> I would love to know how to enable a read only DC. I think that is >> a great idea, I wonder who thought of it. :-) >> >> Sincerely, >> Jose Medeiros >> ADP | National Account Services >> ProBusiness Division | Information Services >> 925.737.7967 | 408-449-6621 CELL >> >> >> -----Original Message----- >> *From:* [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of *Phil >> Renouf >> *Sent:* Monday, December 05, 2005 11:04 AM >> *To:* ActiveDir@mail.activedir.org >> *Subject:* Re: [ActiveDir] Ntds.dit file corruption >> >> Will Read Only DC's take care of this? I don't know much about >> them yet, but it makes sense that if the copy of the dit that >> a DC has is RO that it won't try to replicate that anywhere >> and would only be the recipient of replication. Anyone with >> more knowledge about how RO DC's will work to comment on that? >> >> Phil >> >> >> On 12/5/05, *Medeiros, Jose* <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> wrote: >> >> Well at least the corruption occurred on just a single DC. >> One thing that has bugged me about Active Directory is not >> being able to select if you want a DC in a remote office >> to not have the ability to replicate back in a large >> enterprise environment. Since most remote offices only >> have a few people at the location and a DC is usually >> placed for improvised logon and authentication time, many >> companies will either use a very low end server or a very >> old decommissioned one from their production data center ( >> Which is probably close to useable life ). I am always >> concerned that once the NTDS.DIT file becomes corrupt it >> will replicate the corruption to the other DC's in the >> Forrest. >> >> Maybe I am just being a worry wort and this really is not >> an issue. >> >> >> >> Sincerely, >> Jose Medeiros >> ADP | National Account Services >> ProBusiness Division | Information Services >> 925.737.7967 | 408-449-6621 CELL >> >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> [mailto:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>]On Behalf Of >> Susan Bradley, >> CPA aka Ebitz - SBS Rocks [MVP] >> Sent: Monday, December 05, 2005 8:53 AM >> To: ActiveDir@mail.activedir.org >> <mailto:ActiveDir@mail.activedir.org> >> Subject: Re: [ActiveDir] Ntds.dit file corruption >> >> >> I did? :-) I think I still said all I know is what the >> poster said :-) >> >> I think I need a course in event log reading because even >> with the logs, >> and the default size of the logs, I still don't see a >> smoking gun. The >> directory services one is filled with events 'post' blow up. >> >> What is interesting is that it seems to me big server land >> goes .. oh >> yeah... ntds.dit corruption... and sbsland freaks >> out. Either we do >> indeed need to ensure we have a secondary DC or we need to >> park a second >> copy of a system state offsite [say at the vap/var] >> >> Brett Shirley wrote: >> > She replied offline, very likely a single bit flip, >> tragedy, they aren't >> > one release later (Longhorn), where this would've >> probably been >> > non-disruptively handled, logged, and possibly self-healed: >> > http://blogs.technet.com/efleis/archive/2005/01.aspx >> > >> > Anyway, this kind of thing is usually hardware ... >> > >> > While there are much better disk sub-system testers, one >> that is freely >> > available to any box with Exchange is jetstress. You >> might give that a >> > try. If you can reproduce the event / error with >> jetstress I would not >> > use that box in production. >> > >> > If you do reproduce the issue several times (several >> times is key, as you >> > want a trend before you start playing the variable >> game), some things >> > you might vary (one at a time): >> > >> > - Try making sure you have the latest driver and >> motherboard / controller >> > firmware. Then see if you can reproduce. >> > >> > - Try a different RAID configuration, such as >> RAID1/RAID1+0 if you're on >> > RAID5. >> > >> > - Try swapping out the hard drives, one at a time. >> > >> > - Adding the jetstress files to the exclude list in the >> Anti-Virus >> > software. (A low probablility, I've never heard of >> Anit-Virus causing this >> > paticular type of error, and I can't imagine the mistake >> an anti-virus >> > product would have to have to cause this side effect) >> > >> > - If you can reproduce it several times, you could >> followup with Dell. >> > Good luck. >> > >> > I'm not sure if I answered your question ... >> > >> > Cheers, >> > BrettSh >> > >> > >> > On Sun, 4 Dec 2005, Eric Fleischman wrote: >> > >> > >> >> Going back to the original post, I'm not sure I fully >> understand the >> >> problem yet. Susan, can you define "ntds.dit file >> corruption" for us? >> >> What sort of corruption? What errors/events lead you to >> believe this? >> >> Specifically, I'm interested in errors from NTDS ISAM >> or ESE if you >> >> have any. >> >> >> >> >> >> >> >> ________________________________ >> >> >> >> From: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> on behalf of >> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] >> >> Sent: Sat 12/3/2005 10:58 PM >> >> To: ActiveDir@mail.activedir.org >> <mailto:ActiveDir@mail.activedir.org> >> >> Subject: [ActiveDir] Ntds.dit file corruption >> >> >> >> >> >> >> >> SBS box [with Windows 2003 sp1 since September] >> >> >> >> RE: [ActiveDir] Database Corruption: >> >> >> http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html >> >> >> >> We have a SBS 2003 sp1 box with a corrupt ntds.dit that >> the Consultant >> >> and PSS have been banging on. Could not get the >> services back running, >> >> changed the RPC service to local system and some >> service came back up [I >> >> don't have all the details but the consultant opened a >> support case of >> >> SRX051202605433]. >> >> >> >> Bottom line they are about going to give up and start a >> restore but >> >> before they do that I'd like to get the view of the AD >> gods and >> >> goddesses around here. From all that I've seen, read, >> seen in the SBS >> >> newsgroup, the corruption of ntds.dit is rare to nil >> and an underlying >> >> cause is hardware issues [raid, disk subsystem]. This >> doesn't just >> >> happen. >> >> >> >> The VAP asked if not properly excluding the ad >> databases from the a/v >> >> would cause this/trigger this and my expectation is >> 'no', given that I >> >> doubt the majority of us in SBSland properly set up >> exclusions >> >> Virus scanning recommendations on a Windows 2000 or on >> a Windows Server >> >> 2003 domain controller: >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 >> >> >> >> If this were my hardware and box, I'd be putting this >> sucker on the >> >> operating table and getting an autopsy before putting >> it back online. >> >> >> >> Are we right in being paranoid now about this >> hardware? For you guys in >> >> big server land you'd just slide over another box into >> that server role. >> >> >> >> --------------------------------------- >> >> Stupid question alert.... >> >> >> >> Okay so we know that having a secondary/additional >> domain controller is >> >> a good thing even in SBSland...but question.... many >> times the second >> >> server in SBSland is a terminal server box because we >> do not support TS >> >> in app mode on our PDCs. So we've established that >> having a domain >> >> controller and a terminal server is a security issue >> [see Windows >> >> Security resource kit, NIST Terminal services hardening >> guide, etc >> >> etc....] If our second server is a member server >> handing out TS >> >> externally, should that be a candidate for the >> additional DC? Are the >> >> issues of TS on a DC ... true for 'any' DC? Would it >> be better than to >> >> Vserver/VPC a Win2k3 inside a workstation in the >> network if a third >> >> server box was not feasible? >> >> >> >> List info : http://www.activedir.org/List.aspx >> <http://www.activedir.org/List.aspx> >> >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> <http://www.mail-archive.com/activedir%40mail.activedir.org/> >> >> >> >> >> >> >> >> >> > >> > List info : http://www.activedir.org/List.aspx >> > List FAQ : http://www.activedir.org/ListFAQ.aspx >> > List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> > >> > >> >> -- >> Letting your vendors set your risk analysis these days? >> http://www.threatcode.com >> >> List info : http://www.activedir.org/List.aspx >> <http://www.activedir.org/List.aspx> >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> <http://www.mail-archive.com/activedir%40mail.activedir.org/> >> >> >> >> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> <http://www.activedir.org/ListFAQ.aspx> >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> >> > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
