1. Yes
2. Yes
3. Yes, but this doesn't impact this issue because that
assumes a pre-R2 forest. This issue is strictly with a forest initially built
from an R2 machine.
4. Nope and Nope. The TSL will not revert in an existing
forest, MSFT doesn't touch the existing value in a forest. The only time the TSL
is modified is when you do it or when the forest is initially built.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, July 24, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?
Thanks for this joe. That doc is more than bad - it's plain
wrong :(
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank
TSL - which implies a 60 days TSL. Correct?
2. All I need to do to 'fix' this 'issue' is to amend
the TSL via admod or adsiedit or whatever... ?
Correct?
3. I only need to run the R2 adprep once per forest.
[Stated for completeness]
4. Do I need to run the R2 setup on each machine I
build? Will this process revert the TSL back to 'not
set'?
I'm trying to understand the issue below but also how
it is caused and how it may be caused again.
neil
PS I agree re R2 and its value above and beyond SP1.
But what a great marketing ploy :)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?
This all started due to bad documentation on
which states
Note the value in the Value column. If the value is <not set>, the default value is in effect as follows:
| |
On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days. |
| |
On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days. |
which was confusing a customer. Then after I explained
about how 60 days is hardcoded and 180 days was a schema.ini fix he further
indicated that he wasn't seeing this in an R2 forest hence his original
question. The test R2 forests I have built I never checked TSL, just assumed it
was 180 and normally I don't built R2 machines because I really don't much care
about R2, SP1 is far more important for the stuff I play with. I mean really,
how many people verify the TSL of their forest versus just assuming it was
whatever MSFT or someone representing MSFT said it should be. I know I have told
a ton of people that after SP1 the value is 180 and I want to make sure I
tell all of those same people that it really isn't in R2.
My concern is for people who have put an R2 forest out
there and are under the running assumption that they now have a 180 day TSL and
make some decision based on it (yes, it is ok if our DC sits on the doc in
Mexican customs for 3 months (this is a real example) because we have a 180 day
TSL) and learn after the fact that it was incorrect. It also has backup/restore
implications.
Hopefully the above docs will be corrected and the word
will seep out and people will be aware.This is one of those things where if you
find it out after you already had an incident you will be like, WTF Microsoft.
It also makes me wonder if there is anything else that was
regressed...
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, July 24, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?
hehe, yep I've seen that (the difference of the Schema.ini
files; i.e. missing entry for the tombstonelifetime property) but didn't think
too much of it because for now I've only had to handle upgrading from Win2000 or
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to
populate a blank schema at the time that you create a new AD forest - and yes,
this means that your tombstone lifetime wouln't match that of other Win2003
forests that were created from a DC that had SP1 applied to
it...
I agree, not very nice, but easily fixed as you describe.
Personally, I don't think too much of the fact that the tombstonelifetime was
increased to 180 days in SP1 anyways. This was done to avoid issues for
companies with a badly managed AD - I would generally much prefer to adjust
the value to what is appropriate for a company's backup & recovery strategy.
And this usually doesn't mean that you need to keep the "garbage" in your AD for
1/2 a year...
Granted, it's the inconsistency here with which MSFT has
done the update of the schema.ini files which is not so nice - but the rules are
pretty clear on how tombstone lifetime can be evaluated by an admin: if the
attribute on the Directory Services object (tombstoneLifetime
ð
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<MyRootDomain>
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 24, 2006 1:50 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Have you built an R2 Forest?
If so... you may want to peek at
entitled "R2 tombstoneLifetime boo
boo"
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
