How to prove AD and GPO are corrupt

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
icon_eek.gif
Hey guys

I know this is a stupid question..but how can I prove
through testing and log files that AD and GPO is corrupt?

is there a tool i can use on client and server to prove AD and GPO is corrupt?

thanks

Comments

  • eurotrasheurotrash Member Posts: 817
    Try the event viewer.

    Anyways, is it in fact corrupt? How do you know? Can you use that to prove it?
    witty comment
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    If you are running MOM 2005 you can install the Active Directory Management Pack which will monitor AD for health and "normal" behavior (whatever normal is).

    Here is a check list for monitoring AD, any hiccups that appear will most likely be the result of a mis-configuration, which is much more common than a corruption problem anyway.

    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd02.mspx
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    what has happended is we have been getting slow logons.
    with Applying Comuter Settings.. and we have had network slowness.
    and we have had AD security violations in the form of
    users were in Groups that should not be some user were users
    that were in DOmain Admin groups no seeming patttern just some crossing of users in Groups they should not be in! and both admins have never put them in those grooups and combined with slow logons
    with GPO just thought i could test AD database?? tool
    thanks
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    itdaddy:

    No offence, and just my opinion here, but based on your other posts about this problem I would venture a small guess and say......

    Maybe you have an admin that does not know what he is doing. icon_eek.gif

    I base this on some of the seemingly poor decisions that were made regarding DNS when all your problems started, then the unwillingness (on your part or theirs I do not know) to undo those changes to see if the problems disappear. Others have advised you several times to run netdiag to verify basic network settings and we have not heard whether that was done, or if it was done we have not been made aware of the results. In addition, users don't just magically appear in the domain admins group, corrupt AD or not.

    I would not dare to venture a guess now as to what the problem could be except the possibility of an incompetent admin. icon_sad.gif
    All things are possible, only believe.
  • xeviousxevious Member Posts: 59 ■■□□□□□□□□
    check eventlogs, run DCDIAG, and review DNS on the DCs.

    Not sure if you have multiple sites, but make sure you have IP subnets for the sites defined properly. i.e. AD Sites and Services.

    You can also run a SET command and see if the logonserver is correct on PCs that are slow to login.

    Hope this helps.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    Hey sprkymrk

    (if i was in charge, sure i would change the DNS config the way i want! duh!) buut I an not in charge!...but i have some ideas and give my theories and we shall see!)

    wow! what a nice fella you are. i have been away working with MCSEs! on this issue....I even had to show them how to enable debug tools like

    userenv.log and netlogon.log

    and I have used netdiag and dcdiag your simple network test tools!

    It is a very strang problem...as far as incompetent....not really...
    sorry I didnt get back in time to satisfy you!

    but thank you to others for you replies.....

    All tests have proved to be PASSED!

    The merging of incorrect users in certain groups is not a part of my
    incompetence.....I would never merge computers and users in Admin groups and mix OU (objects)in groups that should not be...

    sharp I am, incompetent I am not...I am only working my way up..
    and I work with guys that are MCSE and I can hang pretty good.

    I understan DFS and how to set it up and other MCSE topics from not
    having studied to much yet! but I am getting there..

    but your input sucks!

    One day I willl be a moderator of some cool tech site! and
    well I will think of better vocabulary words that you can muster up.

    but thanks for the working me up...it feels goood.... I will post my findings when we find it out...I try...sometimes I may not be able to reply right away cause I am very busy..and If i forget to answer someone.

    Please just remind me it is not my intention to screw you guys and gals over you guys and gals are my peers and mentors...and i appreciate you and this forum...get a life! i am here to help where i can not knock down!
    bring it on MCSE!!!!!!!!!

    itdaddy! icon_lol.gif
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    xevious

    the funny things is i have tried all the Microsoft test,
    dcdiag, netdiag
    event viewer
    dns
    logonserver check
    nltest /dsgetdc:domain.com test
    CNAME (SRV) records read correctly
    yes, we have 4 sites and they list correctly in DNS
    userenv.log
    netlogon.log

    these tools and test are showing lags in time which corrupt transport
    of GPO to clients... more so than 2kpro machines..they are seemingly unaffected....

    i have seen many similar google searches, and i have seen useren.log
    and they seem to show GPO not being applied as well and in the netlogon.log.seems that XP times out(not because of trust being establish)
    just times out and then logs on computer using netbios/tcp ip..
    from a novice point of view and the MCSE says he sees the same thing
    but all tests seem to be PASSED state..

    i do have a theory that I am testing out....MR Sprky!

    I am trying to change some DNS settings on the DNS servers ( going on a limb!... I wrote all the tcp/ip settings and DNS settings of all systems out
    prior and after we added a call recording system to our network band
    voip system. and well we shall see nest week.i will keep you techies
    posted on my results! this MCSE who works on our stuff (vendor)
    says we might have to call Microsoft...but I hope to have it solved Next week...

    My theory is basic but I think our main DNS server is over worked!
    a performance issue. I am reconfig DNS on servers and some clients to to take some load off this server. our servers at each site
    are

    print
    dns
    dc
    file server

    all rolled in one and the main Server1 is I think overloaded...and cannot handle the payload...which causes network latency which in turn causes
    GPOs not being applied and corrupt and poor AD replication as well.

    just my theory after all things looks at!

    we shall see
    see you next week men and women of IT..

    love it!

    icon_eek.gif
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    In addition, users don't just magically appear in the domain admins group, corrupt AD or not.



    no duh! but how do you know....what corruption may cause
    i have seen some weird things with corrup things.

    and isnt AD a database!? icon_cool.gif
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    okay sprky,

    Thanks for the MOM article...i have been working my A$$ on this issue..
    and sorry if i didnt mention what i did...too tired and been very busy
    with my son moving here and all that being a new dad and all
    but if you were not meaning me being incompetent then sorry for venting and attacking you a bit..but if you were attcking me, i meant what i said!

    non of us dont have a clue; we have caught no viruses on these machines or servers that could indicate anything.and all the tests we did
    PASSED but the only way to check for performance is what?
    to do bench mark tests and isolate servers and quantify usage.which i plan on doing some how!

    but the last thing i need is to be accused of being incompetent.

    see you soon and will report my finding.
    I do appreciate all you input and reply to my issues..you guys and gals are great! and if you ever need anything all you do is have to ask me.

    I can be absent minded but never uncaring or (not being a team player)
    that is why we are all here to be a team! an IT team!

    sharing ideas which makes us stronger!

    cao! icon_eek.gif
  • eurotrasheurotrash Member Posts: 817
    itdaddy wrote:
    One day I willl be a moderator of some cool tech site! and
    well I will think of better vocabulary words that you can muster up.
    Before criticizing another's vocabulary, you might want to work on your own (and spelling (seriously), sentence structure, etc). icon_rolleyes.gif
    witty comment
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    itdaddy:

    Your rants are almost not worth replying to, but in case webmaster decides to delete your posts I want to make a quick reply. I was not referring to you as incompetent - only negligent in posting results or findings of your other 3 threads on this very same topic. You keep posting follow-ups in new threads that are actually the same issue - there is no way to have any continuity on trouble shooting the problem when:

    a - You post the same problem in different threads but described somewhat differently.

    b - You have time to continually post questions related to the problem, but not results of the suggestions you are given.

    The incompetence comments were for the admins above you, because in your other posts you kept stating that "they" did this and "they" did that. When we suggested undoing the changes you indicated it was not your job and someone else did not want to undo the changes.
    itdaddy wrote:
    and yes, I am controlled by
    higher ups in IT who should never be in IT..they are dataprocessers
    i am an IT guy

    Notice the wording I used:
    sprkymrk wrote:
    Maybe you have an admin that does not know what he is doing.

    I said "have", not "are".

    As far as choosing my wording, I call them like I see them. Incompetence is not a bad word, it has a meaning. Your wording (like "sucks", "get a life", "duh" and one your favorites "wtf" though fortunately you did not use it in this thread) must be better examples I suppose. Believe it or not I was trying to help. If you don't believe me go back to your other threads on this very same issue and read all the replies and suggestions I made.

    Maybe you were tired and had a bad day when you read my reply, and I can see how my post could have offended you. For that I do apologize. Any way, I do hope you can figure out the problem. Good luck.
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    i did take offense cause i thought you were leaning that way
    or implying and MR omni...he wasnt attacking you..and my spelling does suck
    when you are typing fast and torked off and writing in a forum

    i wrote in other threads to maybe get some concentration on the issue at hand; knowingthat it would you all would see it and maybe some new people who are concentrating on the issue; thought i would get abetter response in other threads in other areas maybe....

    but sorry for sounding like a di$k i dont like to be that way just under alot of pressure lately; i am nice helpful person and i think WTF is appropriate
    in times of frustration as other choice words; not all the time but just peaked expresssions but when used all the time it is very un classy!

    thanks for your guy's help i like you sprkymrk and mr omni
    sorry for doing things that frustrate you as well but i mean well
    i always like to try to post my results so others in this tech forum
    get a review to help them...

    but next week i will post these results in here what we find; it might be the follow week; cause we might have to call Microsoft (dont like that)
    but i think i might be right on the server being too wimpy!

    will let you guys /gals knw what happens to get some closer

    again sorry if i took offense but you were right; i do have someone who
    holds me back from really fixing things!
    just dont mention me! ;)

    see you soon..
    and you can take my posts out that are rude.
    whatever it takes to keep the peace and keep us kicking but in IT
    that would makeme happy

    see you mates!

    icon_redface.gif
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    If you don't believe me go back to your other threads on this very same issue and read all the replies and suggestions I made.

    very true dat! you were helping; i just havent had time to reply;
    i was waiting for replies and then i was coming back; i saw no answers
    in some threads so i thought i would try others to see if anyone in there could shed some light...i forgot about other threads things nonone could answer me. so i went on to other chat/forum rooms to see if anyone in there knew!?

    and then once I found out i would write the solutions to help others.
    sometimes i get tied up and forget things but i try not too.
    and i was very stressed when i read you note to me!

    sorry for the hassle!

    (my spelling does suck; i use forum chatting concept)
    hahaha

    thanks guys
    and thanks again sprkymrk

    i do appreicate you and your help

    i will try to watch the wild threads!

    thanks! icon_confused.gif
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    hey guys
    i went to work today to see if my first theory worked
    well noone using the network and Apply Computer Settings
    came up? hummmm

    process of elimination...

    situation:

    slow network Applying computer settings.
    have had to reboot certain servers to get the network going again (DNS/DC) servers humm
    then we find mixed users in groups that shouldnt be?
    all network test prove postive(netdiag, dcdiag according to MCSE guidance)
    once we had to rebooot all network routers cause they haulted for some reason but only happened once since i have been here of 2 years
    AV symatec show no outbreak of virus, worm or trojan!

    I would like to fix or prove that AD/GPO are corrupt and maybe repair
    or rebuild (but in an easy way hee ehhee)

    i wish there was a database tool i could use to repair AD/GPO database?
    do you guys/gurus know of any.

    kind of like the one used for Mxchange Server (ex ESEUTIL with switches)



    gerrrrr
    i still think server 1 has isssues it locks up randomly say every 7 days
    or every 20 days or every 25 days
    we try to reboot servers every 21 days some sooner depending on their
    behaviors and what they need to keep operating well..
    but i do not like server 1 it has issues..be nice to eliminate it and get a new one but kind of difficult

    thanks see younext week; i am out of tools and guesses; see what MCSE
    tech say over the phone...should be interested cant wait to learn more..
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    At this point, I think you'd be better off to just call Microsoft.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    i agree...thanks...will let you all know what is up when we find out

    thanks to you all for your support.

    hope what we find will help you all if you ever come across this

    i will let you know what Microsoft does to prove whatever they find out
    and list the proofs here and results.

    see you soon.

    might be next monday i write the report on this cause i will have it by then
    thanks again!
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    ???
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    I AM A SPACE CADETTE
    SORRY SO LONG ON THIS

    this is what we and MCSE dude from MS$$ discovered
    a policy was trying to apply and it was allowing all domain
    PCs to let everyone have full access to their C$ drives so anyone can
    do anything to each others PC; i think it was a hack myselfl
    and well it would not apply and failed causing the Apply Computer setting to take 6 minutes per PC then failover.

    that is what happend after all this freaking diagnosis
    it was hard even for cert ccnp and mcse dudes
    but we got it
    ;D icon_lol.gif
Sign In or Register to comment.