Re: AD problem
From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 02/09/04
- Next message: Ulf B. Simon-Weidner [MVP]: "Re: Active Directory Rights filter"
- Previous message: Ulf B. Simon-Weidner [MVP]: "Re: Dial in Tab missing"
- In reply to: Shah: "AD problem"
- Next in thread: Shah: "Re: AD problem"
- Reply: Shah: "Re: AD problem"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 9 Feb 2004 23:59:14 +0100
Shah says...
> Hi all,
> I am having 80 domain controllers in 80 sites country wide. I have Windows
> 2000 based single domain in native mode. Last month one domain controller
> got crashed and I restore it from 2 months old backup. I do fullback every
> six months and tombstone lifetime is set to 548. After restoration I am
> unable to access active directory from
> this domain controller. Event viewer shows error for SAM, NTDS KCC, DNS and
> Netlogon. I am not sure but I guess the replication process has been broken
> between the DCs. I guess secure channel password expire after every 30 days,
> so this may be the cause for errors. If I reset the secure channel
> password, problem can be solved. Since I have 80 DCs so it is tiresome if
> again any DC crashed and restore then resetting secure channel password.
> Is there any method or way to complicately get rid of this problem?
> Any help will be appreciated.
>
Hello Shah,
you'd be able to configure the machines that they don't change the passwords of
the computer accounts. But this is a security issue, and I would never do this
exept of machines I use for testing and use some imaging to roll them back to a
solid state.
What I'd really recommend in your scenario is doing a system state backup more
frequently. What are you doing if you accidently erased a part of your AD? Roll
Back two month and redo all changes? And is it really necessary to have this
large of a TombstoneLifetime? The companies I know are doing a daily system
state backup, with sometimes some additional mechanism for allowing
authoritative restores without a backup. You don't even need a systemstate
backup on each DC, because you can install most DCs from scatch and synchronize
them. If you don't want to synchronize them over the WAN and you have WS2k3
you'd be able to ship a systemstate backup to the remote location, and use
dcpromo /adv to fill the ad from the systemstate backup and synch changes
afterwards.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
- Next message: Ulf B. Simon-Weidner [MVP]: "Re: Active Directory Rights filter"
- Previous message: Ulf B. Simon-Weidner [MVP]: "Re: Dial in Tab missing"
- In reply to: Shah: "AD problem"
- Next in thread: Shah: "Re: AD problem"
- Reply: Shah: "Re: AD problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
