NearZero
(Fresh Scripter)
2007-11-16 08:24 AM
Group Cache

Hi,

I'am getting some weird results from group memberships.

Kix 4.5.3, Windows 2003 SBS, Client XP Pro SP2.

It makes no difference if I delete the group token cache (reg) or use /f.

So here's the problem... I enum the groups and I get groups I deleted 20 minutes ago. I rebooted the server, they still appear, I reboot my PC they still appear.

If I use VBSript and ADSystemInfo object, no problem, right groups.

This is driving me insane. I thought about GC cache but reboots should have fixed that issue, besides ADSystemInfo works fine.

Anyone know how Kix gets groupmemberships (method), so I could try and reproduce it.

Help \:\)

NTDOCAdministrator
(KiX Master)
2007-11-16 08:55 AM
Re: Group Cache

You need to check replication on your network or are you only running a single SBS server?

Please show the code you're using as well.

May have to also check your DNS with tool from MS DNSDIAG and maybe DCDIAG to ensure your AD is operating properly.

How many Servers, and how many Sites?

NearZero
(Fresh Scripter)
2007-11-16 10:12 AM
Re: Group Cache

Hi NTDOC,

You can only have one DC in SBS.

Good news is I found the problem, sadly a piece of debug code I left in during a cut and paste, GRRRRR, one of those days. The script is over 800 lines, after so much testing I rather stupidly assumed all was ok.

Thanks \:\)

Mart
(KiX Supporter)
2007-11-16 11:17 AM
Re: Group Cache

No worries. We all did that once or twice. Sh#t happens.

Glenn BarnasAdministrator
(KiX Supporter)
2007-11-16 01:41 PM
Re: Group Cache

 Originally Posted By: NearZero
You can only have one DC in SBS.

You can have multiple DCs in SBS, but SBS must be the PDCe. Since SBS is designed for smaller networks, there are few real benefits to a second DC, but it is possible.

As for debug code...

 Code:
Global $DEBUG
$DEBUG = 1

; later in the code...

If $DEBUG
 ; do it this way
Else
 ; do it the real way
EndIf

works well for me. Search for the MSG() udf set here or on my web site for debug messaging/logging functions.

Glenn

NTDOCAdministrator
(KiX Master)
2007-11-16 11:11 PM
Re: Group Cache

So then what does SBS recommend in case of a Server failure? Tough Luck? Rebuild entire AD ?

NearZero
(Fresh Scripter)
2007-11-17 12:46 AM
Re: Group Cache

NTDOC, Barnas
I should been a little more specific, you can have on one SBS Server within the domain, but you can have other servers. There are restrictions, but off topic.

Barnas the offending line was a one off. Thanks but I have debug methods inplace, screen and/or file.

The error was really stupid and the result of being tired, I should have hung up the keyboard earlier.

Cheers all

Les
(KiX Master)
2007-11-17 03:40 AM
Re: Group Cache

 Originally Posted By: NearZero
...There are restrictions, but off topic...
How can you be off topic in the off topic (Lounge) forum?

Glenn BarnasAdministrator
(KiX Supporter)
2007-11-17 01:27 PM
Re: Group Cache

Not sure what SBS recommends, but Microsoft is another story.. ;\)

SBS is really specialized - can only be one SBS in a domain, it must be the PDCe, and while it does support additional DCs, well, to quote their documentation:
  • You can install a computer as a BDC in an SBS domain, but there is minimal advantage in doing so. Because the SBS server must function as a PDC, the BDC only provides redundancy for authentication, not fault tolerance as in a traditional Windows NT domain where a PDC does not act as an applications server.
  • Using a BDC for load balancing: In a domain where there are 25 or fewer users, one domain controller, the PDC, can easily handle domain validation.
  • Logon scripts should be replicated to the BDC. In an environment where clients could be validated by a server other than the PDC, such as a BDC, all logon scripts should be replicated to the BDC or Client Setup will fail.
  • Using a BDC in case the PDC goes down: In an SBS domain, if the PDC goes down, whether or not the BDC is promoted, the users will be able to get validated. However, users will not be able to access applications other than those installed on the BDC, because none of the applications from an SBS server can be installed on any other server except the SBS server.
  • If the BDC is promoted and the SBS server needs to be reinstalled, it cannot be installed into the same domain as a BDC and then promoted because SBS installs as a PDC only. If the PDC ever is reinstalled without a full restore from a backup, the user accounts and machine accounts will have to be re-created and the BDC will need to be reinstalled to become a member of the new domain.

I guess, if you run SBS, you need redundant disk and good backups, eh?

Glenn

NTDOCAdministrator
(KiX Master)
2007-11-18 11:40 AM
Re: Group Cache

 Originally Posted By: Glenn Barnas
I guess, if you run SBS, you need redundant disk and good backups, eh?



Wow, with all those caviates who would want to chance running their business on such a system. I think if I was THAT cheap I'd try to do it all on Linux or something.

If PDC took a dump (which could easily happen) and backups failed (which I've seen to many times in many businesses) you could kiss your business goodbye for a few days or maybe even all together if you also lost important customer data with such a stupid setup.

LonkeroAdministrator
(KiX Master Guru)
2007-11-18 12:04 PM
Re: Group Cache

hmm...
the caveats are not totally true (if at all).
you can pause the SBS setup at one point and join it to domain as second DC.
why it's sooo bad to be forced to replicate logonscripts in multi DC environment?
I just wonder where glenn pulled that and did he check the writer of those was an educated person, not just some wacko at the marketing department.

and gee, wtf. with SBS you need proper backups? damn that MUST be a bad product!
with all the other servers, including windows and linux products run fine forever without backups. at least without proper ones. Doc, you of all should know better.


ok, I was a bit offensive, but I just woke up.
I have installed lots of SBS servers and I must admit, I don't like them that much. But I found the comments before mine were way biased.

Arend_
(MM club member)
2007-11-18 12:38 PM
Re: Group Cache

PDC and BDC are non-existing in 2003 domains :P
Although we still refer to them as PDC and BDC's they are just DC's. There is no real difference between them anymore, only difference you can actually specify is the Global Catalog roles.

Glenn BarnasAdministrator
(KiX Supporter)
2007-11-18 03:54 PM
Re: Group Cache

The info was copied/pasted from a MS KB article. I would assume that the writer was somewhat knowledgeable. As for PDC/BDC, the terms are used in reference to SBS in that the SBS server must be the DC that maintains the FSMO roles, and acts as the PDC Emulator (where appropriate). I installed SBS 2K3 "Enterprise" on my VM system and did not find any option to join an existing domain.

There is a process where you can halt the SBS install, join a domain, run DCPromo, then seize the FSMO roles and finally complete the SBS install, but SBS won't work (ie - no install of all the other components such as SQL, Exchange, Sharepoint unless the SBS server is the PDCe/FSMO role owner. This is how a "BDC" could help protect an SBS installation, but it's kludgy at best.

Glenn

NTDOCAdministrator
(KiX Master)
2007-11-18 10:07 PM
Re: Group Cache

I'm not complaining of backup. I'm complaining that a product that creates an AD infrastructure (so to speak) but does not allow another server to take over all roles and responsibilities is (IMHO) not a good choice.

I can see where it would be possible for such a disaster to put a "small" business "out of business". There are many small companies out there that could not survive (financially) a loss of everything like that.

The whole point is that a small company probably does not have any dedicated IT Staff and is probably installed by the owner him/herself and that's the end of it and they don't know better. I just think it's not a good choice.