RE: [ActiveDir] Have you built an R2 Forest?

Mon, 24 Jul 2006 08:50:21 -0700

just to be clear:
step 3 (R2 adprep) is NOT needed at all if you build a new forest - your not doing an upgrade here. 
Whenever you do an upgrade, you do NOT change the TSL.
 
The documentation is wrong as the TSL is always the hardcoded value of 60, if the value is "not set". If you've created a new forest from an SP1 DC it would be overwritten with an explicit value of 180.  This is what we'd also expect on R2, but due to an incomplete schema.ini file (which is missing the explicit setting of the TSL value to 180), a new R2 forest also has this value "not set" = 60.
 
/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Monday, July 24, 2006 4:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

inline

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, July 24, 2006 16:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

Thanks for this joe. That doc is more than bad - it's plain wrong :(
 
Just to further clarify:
1. If I build a new R2 forest, I should expect a blank TSL - which implies a 60 days TSL. Correct?
[JdAP says:] YES (but it should be 180 days!) 
2. All I need to do to 'fix' this 'issue' is to amend the TSL via admod or adsiedit or whatever... ? Correct?
[JdAP says:] YES, ADD THE 180 VALUE 
3. I only need to run the R2 adprep once per forest. [Stated for completeness]
[JdAP says:] YES 
4. Do I need to run the R2 setup on each machine I build? Will this process revert the TSL back to 'not set'?
[JdAP says:] (1) ONLY IF YOU NEED THE R2 STUFF, (2) NO 
 
I'm trying to understand the issue below but also how it is caused and how it may be caused again.
[JdAP says:] WRONG SCHEMA.INI ON THE MEDIA 
 
neil
PS I agree re R2 and its value above and beyond SP1. But what a great marketing ploy :)
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 July 2006 14:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

This all started due to bad documentation on
 
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
 
which states
 

Note the value in the Value column. If the value is <not set>, the default value is in effect as follows:

•

On a domain controller in a forest that was created on a domain controller running Windows Server 2003 with Service Pack 1 (SP1), the default value is 180 days.

•

On a domain controller in a forest that was created on a domain controller running Windows 2000 Server or Windows Server 2003, the default value is 60 days.

 
 
which was confusing a customer. Then after I explained about how 60 days is hardcoded and 180 days was a schema.ini fix he further indicated that he wasn't seeing this in an R2 forest hence his original question. The test R2 forests I have built I never checked TSL, just assumed it was 180 and normally I don't built R2 machines because I really don't much care about R2, SP1 is far more important for the stuff I play with. I mean really, how many people verify the TSL of their forest versus just assuming it was whatever MSFT or someone representing MSFT said it should be. I know I have told a ton of people that after SP1 the value is 180 and I want to make sure I tell all of those same people that it really isn't in R2.
 
My concern is for people who have put an R2 forest out there and are under the running assumption that they now have a 180 day TSL and make some decision based on it (yes, it is ok if our DC sits on the doc in Mexican customs for 3 months (this is a real example) because we have a 180 day TSL) and learn after the fact that it was incorrect. It also has backup/restore implications.
 
Hopefully the above docs will be corrected and the word will seep out and people will be aware.This is one of those things where if you find it out after you already had an incident you will be like, WTF Microsoft. It also makes me wonder if there is anything else that was regressed...
 
   joe
 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, July 24, 2006 2:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?

hehe, yep I've seen that (the difference of the Schema.ini files; i.e. missing entry for the tombstonelifetime property) but didn't think too much of it because for now I've only had to handle upgrading from Win2000 or 2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to populate a blank schema at the time that you create a new AD forest - and yes, this means that your tombstone lifetime wouln't match that of other Win2003 forests that were created from a DC that had SP1 applied to it...
 
I agree, not very nice, but easily fixed as you describe. Personally, I don't think too much of the fact that the tombstonelifetime was increased to 180 days in SP1 anyways. This was done to avoid issues for companies with a badly managed AD - I would generally much prefer to adjust the value to what is appropriate for a company's backup & recovery strategy. And this usually doesn't mean that you need to keep the "garbage" in your AD for 1/2 a year...
 
Granted, it's the inconsistency here with which MSFT has done the update of the schema.ini files which is not so nice - but the rules are pretty clear on how tombstone lifetime can be evaluated by an admin: if the attribute on the Directory Services object (tombstoneLifetime ð CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=<MyRootDomain>) shows NOT SET, then it't the "original" default tombstone lifetime of 60 days. Else it's whatever number of days has been set either by the DCPROMO routine writing a specific value into the attribute when creating a new forest, or by an admin changing the value to whatever is appropriate.
 
/Guido

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 24, 2006 1:50 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Have you built an R2 Forest?

If so... you may want to peek at
 
http://blog.joeware.net/2006/07/23/484/
 
entitled "R2 tombstoneLifetime boo boo"
 
 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 

PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.


This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Reply via email to