#93942 - 2002-09-30 11:57 PM
old group name still shown
|
tdoan
Fresh Scripter
Registered: 2002-09-30
Posts: 6
|
We have two domains with a two-way trust between them. One is our old NT4 domain, and the other is our new W2k domain. We've been moving users and groups from the old to the new domain for about a year now and are almost done. We run almost identical Kixtart login scripts in both domains.
A problem occurs when I migrate a group from the old domain to the new and then rename the group (something we cannot do in NT4 domains). From computers that are still members of the old domain, Kixtart still thinks the group name is the old group name. Computers that are members of the new domain see the new group name with no problem (at least I haven't seen an instance of the problem). The problem continues even after I remove the original group from the old domain such that the original group name exists nowhere.
I've searched for any local caching that Kixtart might do, but have found none. Can someone shed some light on what we can do to purge that old group name? Let me know if further details are required to dianose the problem.
|
|
Top
|
|
|
|
|
#93944 - 2002-10-01 12:15 AM
Re: old group name still shown
|
Kdyer
KiX Supporter
Registered: 2001-01-03
Posts: 6241
Loc: Tigard, OR
|
Does the Group exist in Active Directory Users and Computers?
We had a situation where we were out of sync..
This was from our Net Admin..
quote:
Check out these groups now. They now show the correct members. It was a problem with the Infrastructure Master in the site.com domain. It was running on SERVER.
It has to run on a DC that is not the PDC emulator as well as is not a GC. Well, it was a GC. I removed this last night and this morning all was well
Thanks!
Kent
[ 01. October 2002, 00:17: Message edited by: kdyer ]
|
|
Top
|
|
|
|
|
#93945 - 2002-10-01 12:22 AM
Re: old group name still shown
|
tdoan
Fresh Scripter
Registered: 2002-09-30
Posts: 6
|
Okay, I tried the kix32 /f while logged in as a user that is a member of one of the problematic groups, and sure enough, at next login the group name was correct. Thanks!
Now my question is what would be wrong with adding the "/f" to our main batch file such that the switch runs at each login for all users? Is there a big performance hit by not taking advantage of the local cache? Conversely, is there a way to set a frequency for the cache to be refreshed say once per week or even once per day?
|
|
Top
|
|
|
|
|
#93946 - 2002-10-01 12:30 AM
Re: old group name still shown
|
tdoan
Fresh Scripter
Registered: 2002-09-30
Posts: 6
|
A bit off the topic kdyer, but I've never heard of an issue with the IF master being on the same DC as the PDC emulator. The general recommendation from Microsoft is to have the IF master on a DC that is not also a GC (which we respect on our domain). Of course if you have enough DC's in your domain to be able to separate these two roles, it won't hurt to do so.
|
|
Top
|
|
|
|
|
#93949 - 2002-10-01 12:38 AM
Re: old group name still shown
|
tdoan
Fresh Scripter
Registered: 2002-09-30
Posts: 6
|
You're right lonkero. Upon a quick check of the manual, which I should have done to begin with, I learn that the refresh interval is 30 days by default. There is no documented way to reduce this interval however, nor is there a method for turning off caching other than flushing the cache each time the script runs with a "/f". That might be a wishlist item for the developers, but then again, as you mention the cache may not help us much on our 10/100MB switched network anyway.
I'm off to add /f to our login batch file. Thanks for the help everyone!!
|
|
Top
|
|
|
|
|
#93950 - 2002-10-01 12:43 AM
Re: old group name still shown
|
tdoan
Fresh Scripter
Registered: 2002-09-30
Posts: 6
|
I probably should have left all that "GC" "DC" "IF" talk out of the discussion, but since you ask...
The DC is simply the domain controller in a Windows 2000 domain. It replaces the old PDC (primary domain controller) model from the NT4 days. No more BDC's (backup domain controllers); all domain controllers are basically on an even playing field know as a multi-master model.
The GC is just a DC with the role of global catalog. IF master is the DC with the role of infrastructure master, and there are other roles as well. Bored yet? ![[Smile]](images/icons/smile.gif)
|
|
Top
|
|
|
|
|
#93952 - 2002-10-02 04:18 PM
Re: old group name still shown
|
tdoan
Fresh Scripter
Registered: 2002-09-30
Posts: 6
|
Oh, so you're actually interested in this stuff. Cool!
The IF master is what updates GUID's and SID's in a multi-domain environment so that objects from the domains can reference each other. So it has to dynamically know what objects exist in it's domain only. Since a DC (domain controller) that is also a GC (global catalog) always knows about all objects in _all_ domains (known as the forest of domains), the IF master and GC are incompatible roles.
MS does a better job of explaining this in knowledge base article Q197132, and also gives a description of all the roles the DC's can hold. Enjoy!
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 580 anonymous users online.
|
|
|
![[Confused]](images/icons/confused.gif){kind=icon}
