|
View Full Version : Corrupt users on one server only
Hi,
We have 2 DCs, and on one of them everything is fine. On second server, a
couple of user objects are corrupted (only some of the properties pages will
open and some pages are missing). Replication is working correctly, because
I can create a new user and it gets replicated. I can also change the
password of the users in question, and they get changed on the 'faulty'
server too.
Is there any way I can force a replication of the complete object between
the two servers ?? I have tried using the AD Site and Services, and going to
the 'Replicate Now' but this doesn't help
Thanks
Nick
|
If one of your domain controllers has corrupted data, your best bet is to
demote the corrupted DC and then promote it again (back up the DC's system
state first just in case). This will ensure you receive new data for
everything - incase the corruption is more than just a few user objects.
If this solution is not feasible, let me know and I will post a trick to
force replication of the objects. However, you will need to perform
integrity and semantic checks and may end up needing to re-promote the DC
anyway. If it was my DC I would just reload Active Directory to ensure data
integrity.
The real question is how did the data get corrupted. Is write behind caching
disabled on the disk drives that hold the Active directory log and database
files? Or if it is enabled, are you using a RAID controller with an onboard
battery backup?
------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
mikenews2@2000trainers.com
Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Nick B" wrote in message
news:uDOqApn8DHA.2044@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We have 2 DCs, and on one of them everything is fine. On second server, a
> couple of user objects are corrupted (only some of the properties pages
will
> open and some pages are missing). Replication is working correctly,
because
> I can create a new user and it gets replicated. I can also change the
> password of the users in question, and they get changed on the 'faulty'
> server too.
>
> Is there any way I can force a replication of the complete object between
> the two servers ?? I have tried using the AD Site and Services, and going
to
> the 'Replicate Now' but this doesn't help
>
> Thanks
>
> Nick
>
>
|
I don't really want to demote and promote, because this machine runs
Exchange Server, and also holds the FSMO roles (only a small network), so if
you could post the trick, that would be great.
As for how it got corrupted - a hard drive in the RAID set failed, and the
server started beeping. The concerned customer decided to power it off
before the hot spare had rebuilt !!
thanks
Nick
"Mike Aubert" wrote in message
news:uKjzeZr8DHA.1632@TK2MSFTNGP12.phx.gbl...
> If one of your domain controllers has corrupted data, your best bet is to
> demote the corrupted DC and then promote it again (back up the DC's system
> state first just in case). This will ensure you receive new data for
> everything - incase the corruption is more than just a few user objects.
>
> If this solution is not feasible, let me know and I will post a trick to
> force replication of the objects. However, you will need to perform
> integrity and semantic checks and may end up needing to re-promote the DC
> anyway. If it was my DC I would just reload Active Directory to ensure
data
> integrity.
>
> The real question is how did the data get corrupted. Is write behind
caching
> disabled on the disk drives that hold the Active directory log and
database
> files? Or if it is enabled, are you using a RAID controller with an
onboard
> battery backup?
>
> ------------------------------------------------------------------
> Mike Aubert
> MCSE, MCSD, MCDBA
> mikenews2@2000trainers.com
>
>
>
> Note the "news2" in my email address is temporary and may be changed in
the
> future, remove it to email me at my Permanente address.
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> "Nick B" wrote in message
> news:uDOqApn8DHA.2044@TK2MSFTNGP10.phx.gbl...
> > Hi,
> >
> > We have 2 DCs, and on one of them everything is fine. On second server,
a
> > couple of user objects are corrupted (only some of the properties pages
> will
> > open and some pages are missing). Replication is working correctly,
> because
> > I can create a new user and it gets replicated. I can also change the
> > password of the users in question, and they get changed on the 'faulty'
> > server too.
> >
> > Is there any way I can force a replication of the complete object
between
> > the two servers ?? I have tried using the AD Site and Services, and
going
> to
> > the 'Replicate Now' but this doesn't help
> >
> > Thanks
> >
> > Nick
> >
> >
>
>
|
Hi Nick,
Even if the server holds the FSMO roles and is running Exchange Server 2000
that does not prevent you from demoting and promoting the server again
(although it will cause a temporary service outage - you have to reboot the
server a few times). Although you will need to manually transfer the roles
and ensure a global catalog server is available, you can get the
configuration back to the way it was.
Having said that, the trick to getting the object to replicate is to restart
the *working* domain controller in Directory Services Restore Mode and then
use the Restore Subtree command of Ntdsutil to mark the object as
authoritative. This will increase the object's USN (and all the object's
attributes except objectClass) by 100,000 for each day between the last
write operation to the directory and the time the command is run (although
it does not take that much time to reboot so the actual increase will more
likely be a few hundred). After you restart the working domain controller
replication will occur and the corrupted DC should write the properties to
its directory database.
However, doing the above is not guaranteed to fix anything and is not a
supported method of fixing a corrupted database. You should still perform an
integrity and semantic check on the corrupted domain controller by using
Ntdsutil - even if replicating the objects appears to solve the problem.
By the way, I'm assuming you don't have a current backup (less than 60 days
by default) of the corrupted server's directory. If you do have one you
could simply restore the corrupted domain controller (non-authoritatively).
Active Directory replication would then update the domain controller with
all the latest changes from the working domain controller.
Mike
"Nick B" wrote in message
news:%23bbYDWZ9DHA.2168@TK2MSFTNGP12.phx.gbl...
> I don't really want to demote and promote, because this machine runs
> Exchange Server, and also holds the FSMO roles (only a small network), so
if
> you could post the trick, that would be great.
>
> As for how it got corrupted - a hard drive in the RAID set failed, and the
> server started beeping. The concerned customer decided to power it off
> before the hot spare had rebuilt !!
>
> thanks
>
> Nick
>
>
> "Mike Aubert" wrote in message
> news:uKjzeZr8DHA.1632@TK2MSFTNGP12.phx.gbl...
> > If one of your domain controllers has corrupted data, your best bet is
to
> > demote the corrupted DC and then promote it again (back up the DC's
system
> > state first just in case). This will ensure you receive new data for
> > everything - incase the corruption is more than just a few user objects.
> >
> > If this solution is not feasible, let me know and I will post a trick to
> > force replication of the objects. However, you will need to perform
> > integrity and semantic checks and may end up needing to re-promote the
DC
> > anyway. If it was my DC I would just reload Active Directory to ensure
> data
> > integrity.
> >
> > The real question is how did the data get corrupted. Is write behind
> caching
> > disabled on the disk drives that hold the Active directory log and
> database
> > files? Or if it is enabled, are you using a RAID controller with an
> onboard
> > battery backup?
> >
> > ------------------------------------------------------------------
> > Mike Aubert
> > MCSE, MCSD, MCDBA
> > mikenews2@2000trainers.com
> >
> >
> >
> > Note the "news2" in my email address is temporary and may be changed in
> the
> > future, remove it to email me at my Permanente address.
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> >
> > "Nick B" wrote in message
> > news:uDOqApn8DHA.2044@TK2MSFTNGP10.phx.gbl...
> > > Hi,
> > >
> > > We have 2 DCs, and on one of them everything is fine. On second
server,
> a
> > > couple of user objects are corrupted (only some of the properties
pages
> > will
> > > open and some pages are missing). Replication is working correctly,
> > because
> > > I can create a new user and it gets replicated. I can also change the
> > > password of the users in question, and they get changed on the
'faulty'
> > > server too.
> > >
> > > Is there any way I can force a replication of the complete object
> between
> > > the two servers ?? I have tried using the AD Site and Services, and
> going
> > to
> > > the 'Replicate Now' but this doesn't help
> > >
> > > Thanks
> > >
> > > Nick
> > >
> > >
> >
> >
>
>
|
|
|
|