How to prove AD and GPO are corrupt

Hey guys

I know this is a stupid question..but how can I prove
through testing and log files that AD and GPO is corrupt?

is there a tool i can use on client and server to prove AD and GPO is corrupt?

thanks

Find more posts tagged with

Comments

eurotrash

Try the event viewer.

Anyways, is it in fact corrupt? How do you know? Can you use that to prove it?

sprkymrk

If you are running MOM 2005 you can install the Active Directory Management Pack which will monitor AD for health and "normal" behavior (whatever normal is).

Here is a check list for monitoring AD, any hiccups that appear will most likely be the result of a mis-configuration, which is much more common than a corruption problem anyway.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd02.mspx

itdaddy

what has happended is we have been getting slow logons.
with Applying Comuter Settings.. and we have had network slowness.
and we have had AD security violations in the form of
users were in Groups that should not be some user were users
that were in DOmain Admin groups no seeming patttern just some crossing of users in Groups they should not be in! and both admins have never put them in those grooups and combined with slow logons
with GPO just thought i could test AD database?? tool
thanks

sprkymrk

itdaddy:

No offence, and just my opinion here, but based on your other posts about this problem I would venture a small guess and say......

Maybe you have an admin that does not know what he is doing.

I base this on some of the seemingly poor decisions that were made regarding DNS when all your problems started, then the unwillingness (on your part or theirs I do not know) to undo those changes to see if the problems disappear. Others have advised you several times to run netdiag to verify basic network settings and we have not heard whether that was done, or if it was done we have not been made aware of the results. In addition, users don't just magically appear in the domain admins group, corrupt AD or not.

I would not dare to venture a guess now as to what the problem could be except the possibility of an incompetent admin.

xevious

check eventlogs, run DCDIAG, and review DNS on the DCs.

Not sure if you have multiple sites, but make sure you have IP subnets for the sites defined properly. i.e. AD Sites and Services.

You can also run a SET command and see if the logonserver is correct on PCs that are slow to login.

Hope this helps.

itdaddy

Hey sprkymrk

(if i was in charge, sure i would change the DNS config the way i want! duh!) buut I an not in charge!...but i have some ideas and give my theories and we shall see!)

wow! what a nice fella you are. i have been away working with MCSEs! on this issue....I even had to show them how to enable debug tools like

userenv.log and netlogon.log

and I have used netdiag and dcdiag your simple network test tools!

It is a very strang problem...as far as incompetent....not really...
sorry I didnt get back in time to satisfy you!

but thank you to others for you replies.....

All tests have proved to be PASSED!

The merging of incorrect users in certain groups is not a part of my
incompetence.....I would never merge computers and users in Admin groups and mix OU (objects)in groups that should not be...

sharp I am, incompetent I am not...I am only working my way up..
and I work with guys that are MCSE and I can hang pretty good.

I understan DFS and how to set it up and other MCSE topics from not
having studied to much yet! but I am getting there..

but your input sucks!

One day I willl be a moderator of some cool tech site! and
well I will think of better vocabulary words that you can muster up.

but thanks for the working me up...it feels goood.... I will post my findings when we find it out...I try...sometimes I may not be able to reply right away cause I am very busy..and If i forget to answer someone.

Please just remind me it is not my intention to screw you guys and gals over you guys and gals are my peers and mentors...and i appreciate you and this forum...get a life! i am here to help where i can not knock down!
bring it on MCSE!!!!!!!!!

itdaddy!

itdaddy

xevious

the funny things is i have tried all the Microsoft test,
dcdiag, netdiag
event viewer
dns
logonserver check
nltest /dsgetdc:domain.com test
CNAME (SRV) records read correctly
yes, we have 4 sites and they list correctly in DNS
userenv.log
netlogon.log

these tools and test are showing lags in time which corrupt transport
of GPO to clients... more so than 2kpro machines..they are seemingly unaffected....

i have seen many similar google searches, and i have seen useren.log
and they seem to show GPO not being applied as well and in the netlogon.log.seems that XP times out(not because of trust being establish)
just times out and then logs on computer using netbios/tcp ip..
from a novice point of view and the MCSE says he sees the same thing
but all tests seem to be PASSED state..

i do have a theory that I am testing out....MR Sprky!

I am trying to change some DNS settings on the DNS servers ( going on a limb!... I wrote all the tcp/ip settings and DNS settings of all systems out
prior and after we added a call recording system to our network band
voip system. and well we shall see nest week.i will keep you techies
posted on my results! this MCSE who works on our stuff (vendor)
says we might have to call Microsoft...but I hope to have it solved Next week...

My theory is basic but I think our main DNS server is over worked!
a performance issue. I am reconfig DNS on servers and some clients to to take some load off this server. our servers at each site
are

print
dns
dc
file server

all rolled in one and the main Server1 is I think overloaded...and cannot handle the payload...which causes network latency which in turn causes
GPOs not being applied and corrupt and poor AD replication as well.

just my theory after all things looks at!

we shall see
see you next week men and women of IT..

love it!

itdaddy

In addition, users don't just magically appear in the domain admins group, corrupt AD or not.

no duh! but how do you know....what corruption may cause
i have seen some weird things with corrup things.

and isnt AD a database!?

itdaddy

okay sprky,

Thanks for the MOM article...i have been working my A$$ on this issue..
and sorry if i didnt mention what i did...too tired and been very busy
with my son moving here and all that being a new dad and all
but if you were not meaning me being incompetent then sorry for venting and attacking you a bit..but if you were attcking me, i meant what i said!

non of us dont have a clue; we have caught no viruses on these machines or servers that could indicate anything.and all the tests we did
PASSED but the only way to check for performance is what?
to do bench mark tests and isolate servers and quantify usage.which i plan on doing some how!

but the last thing i need is to be accused of being incompetent.

see you soon and will report my finding.
I do appreciate all you input and reply to my issues..you guys and gals are great! and if you ever need anything all you do is have to ask me.

I can be absent minded but never uncaring or (not being a team player)
that is why we are all here to be a team! an IT team!

sharing ideas which makes us stronger!

cao!

eurotrash

itdaddy wrote:

One day I willl be a moderator of some cool tech site! and
well I will think of better vocabulary words that you can muster up.

Before criticizing another's vocabulary, you might want to work on your own (and spelling (seriously), sentence structure, etc).

sprkymrk

itdaddy:

Your rants are almost not worth replying to, but in case webmaster decides to delete your posts I want to make a quick reply. I was not referring to you as incompetent - only negligent in posting results or findings of your other 3 threads on this very same topic. You keep posting follow-ups in new threads that are actually the same issue - there is no way to have any continuity on trouble shooting the problem when:

a - You post the same problem in different threads but described somewhat differently.

b - You have time to continually post questions related to the problem, but not results of the suggestions you are given.

The incompetence comments were for the admins above you, because in your other posts you kept stating that "they" did this and "they" did that. When we suggested undoing the changes you indicated it was not your job and someone else did not want to undo the changes.

itdaddy wrote:

and yes, I am controlled by
higher ups in IT who should never be in IT..they are dataprocessers
i am an IT guy

Notice the wording I used:

sprkymrk wrote:

Maybe you have an admin that does not know what he is doing.

I said "have", not "are".

As far as choosing my wording, I call them like I see them. Incompetence is not a bad word, it has a meaning. Your wording (like "sucks", "get a life", "duh" and one your favorites "wtf" though fortunately you did not use it in this thread) must be better examples I suppose. Believe it or not I was trying to help. If you don't believe me go back to your other threads on this very same issue and read all the replies and suggestions I made.

Maybe you were tired and had a bad day when you read my reply, and I can see how my post could have offended you. For that I do apologize. Any way, I do hope you can figure out the problem. Good luck.

itdaddy

i did take offense cause i thought you were leaning that way
or implying and MR omni...he wasnt attacking you..and my spelling does suck
when you are typing fast and torked off and writing in a forum

i wrote in other threads to maybe get some concentration on the issue at hand; knowingthat it would you all would see it and maybe some new people who are concentrating on the issue; thought i would get abetter response in other threads in other areas maybe....

but sorry for sounding like a di$k i dont like to be that way just under alot of pressure lately; i am nice helpful person and i think WTF is appropriate
in times of frustration as other choice words; not all the time but just peaked expresssions but when used all the time it is very un classy!

thanks for your guy's help i like you sprkymrk and mr omni
sorry for doing things that frustrate you as well but i mean well
i always like to try to post my results so others in this tech forum
get a review to help them...

but next week i will post these results in here what we find; it might be the follow week; cause we might have to call Microsoft (dont like that)
but i think i might be right on the server being too wimpy!

will let you guys /gals knw what happens to get some closer

again sorry if i took offense but you were right; i do have someone who
holds me back from really fixing things!
just dont mention me!

see you soon..
and you can take my posts out that are rude.
whatever it takes to keep the peace and keep us kicking but in IT
that would makeme happy

see you mates!

itdaddy

If you don't believe me go back to your other threads on this very same issue and read all the replies and suggestions I made.

very true dat! you were helping; i just havent had time to reply;
i was waiting for replies and then i was coming back; i saw no answers
in some threads so i thought i would try others to see if anyone in there could shed some light...i forgot about other threads things nonone could answer me. so i went on to other chat/forum rooms to see if anyone in there knew!?

and then once I found out i would write the solutions to help others.
sometimes i get tied up and forget things but i try not too.
and i was very stressed when i read you note to me!

sorry for the hassle!

(my spelling does suck; i use forum chatting concept)
hahaha

thanks guys
and thanks again sprkymrk

i do appreicate you and your help

i will try to watch the wild threads!

thanks!

itdaddy

hey guys
i went to work today to see if my first theory worked
well noone using the network and Apply Computer Settings
came up? hummmm

process of elimination...

situation:

slow network Applying computer settings.
have had to reboot certain servers to get the network going again (DNS/DC) servers humm
then we find mixed users in groups that shouldnt be?
all network test prove postive(netdiag, dcdiag according to MCSE guidance)
once we had to rebooot all network routers cause they haulted for some reason but only happened once since i have been here of 2 years
AV symatec show no outbreak of virus, worm or trojan!

I would like to fix or prove that AD/GPO are corrupt and maybe repair
or rebuild (but in an easy way hee ehhee)

i wish there was a database tool i could use to repair AD/GPO database?
do you guys/gurus know of any.

kind of like the one used for Mxchange Server (ex ESEUTIL with switches)

gerrrrr
i still think server 1 has isssues it locks up randomly say every 7 days
or every 20 days or every 25 days
we try to reboot servers every 21 days some sooner depending on their
behaviors and what they need to keep operating well..
but i do not like server 1 it has issues..be nice to eliminate it and get a new one but kind of difficult

thanks see younext week; i am out of tools and guesses; see what MCSE
tech say over the phone...should be interested cant wait to learn more..

blargoe

At this point, I think you'd be better off to just call Microsoft.

itdaddy

i agree...thanks...will let you all know what is up when we find out

thanks to you all for your support.

hope what we find will help you all if you ever come across this

i will let you know what Microsoft does to prove whatever they find out
and list the proofs here and results.

see you soon.

might be next monday i write the report on this cause i will have it by then
thanks again!

itdaddy

blargoe

???

itdaddy

I AM A SPACE CADETTE
SORRY SO LONG ON THIS

this is what we and MCSE dude from MS$$ discovered
a policy was trying to apply and it was allowing all domain
PCs to let everyone have full access to their C$ drives so anyone can
do anything to each others PC; i think it was a hack myselfl
and well it would not apply and failed causing the Apply Computer setting to take 6 minutes per PC then failover.

that is what happend after all this freaking diagnosis
it was hard even for cert ccnp and mcse dudes
but we got it
;D