Re: Loss of attribute values
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 19 May 2008 09:24:04 -0500
usnChanged is just a sequentially updated number that is used primarily to
help drive replication. Every time the directory service updates an object
it increments usnChanged by one and stamps that value on the object.
As I recall, you can tell from the replication metadata what server actually
orginated the modification, but it is not easy to tell much more than that.
Enabling auditing for changes on these attributes might be helpful, but
would generate a lot of audit log chatter to comb through.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Steve C" <SteveC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B75D251E-066C-450A-8A81-E9ABF39A3C53@xxxxxxxxxxxxxxxx
Well, I can see the value for whenChanged and I can monitor that should I
have an entry drop out again, but I don't see anything that would indicate
what caused its removal. The uSNChanged value must need some type of
translation, as it doesn't seem to represent a date/time the way
whenChanged
does.
Thanks
"Paul Bergson [MVP-DS]" wrote:
I'm not sure how you would know what value was overwritten, I suppose you
could check the USN but you wouldn't use repadmin for that. I think you
would need to use ADSIEdit, but I don't know I have never tried.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23tonb7gtIHA.5832@xxxxxxxxxxxxxxxxxxxxxxx
I think you can do it with repadmin. As a programmer, I tend to do
these
things the "programmer" way (via an LDAP query in this case), but
repadmin
sounds like the right admin tool for this. Someone else can likely
confirm.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Steve C" <Steve C@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6FE40D5A-E0BF-4CB6-8C7B-CC0CCC04C257@xxxxxxxxxxxxxxxx
Would this be using the repadmin tool? I haven't used that before, but
will
check it out. Hopefully the history data is still there.
Thanks
"Joe Kaplan" wrote:
You could also check the replication metadata and see when the change
happened and where it originated from. That may or may not provide
any
useful info though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:uBEa8IctIHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
The only thing that pops into mind for me is adminSDHolder. This
attribute resets ACL's but I am not aware of it resetting other
attributes, but take a look at an article by a former MVP and
current
Microsoft employee.
http://www.msresource.net/knowledge_base/articles/info:_protected_groups_and_the_adminsdholder_object.html
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Steve C" <Steve C@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DD36281D-D365-4268-92E7-1DF9359A3080@xxxxxxxxxxxxxxxx
We run a large SQL Server environment and rely on delegation to
make
our
Linked Server connections work. To do this, we must manually add
enties
to
the ServicePrincipalName attribute for the account under which our
SQL
Servers run. Randomly, one or more entries will just disappear
from
the
attribute and cause our linked server connections to fail. This
past
weekend,
2 SQL instances from the same server (which actually hosts 5
instances)
disappeared. Last night the entry for a different server
disappeared.
I
re-add the entry using ADSIEdit (I could use SetSPN, too) and all
is
well
for
that server.
I know that no one on my team is going in and changing/deleting
entries.
Any
ideas where to start looking? Is there some kind of auditing I can
turn
on
that won't bring my AD to its knees? Any specific diags I should
be
running
to pick up corruption issues?
Thanks
.
- References:
- Loss of attribute values
- From: Steve C
- Re: Loss of attribute values
- From: Paul Bergson [MVP-DS]
- Re: Loss of attribute values
- From: Joe Kaplan
- Re: Loss of attribute values
- From: Steve C
- Re: Loss of attribute values
- From: Joe Kaplan
- Re: Loss of attribute values
- From: Paul Bergson [MVP-DS]
- Re: Loss of attribute values
- From: Steve C
- Loss of attribute values
- Prev by Date: Re: Csharp code to add an AD user to an AD group?
- Next by Date: Re: Csharp code to add an AD user to an AD group?
- Previous by thread: Re: Loss of attribute values
- Next by thread: New Organisation Name - do we rename the domain or set up 2nd doma
- Index(es):
Relevant Pages
|
