Diisappearing OU

  • Thread starter Thread starter Marf
  • Start date Start date
M

Marf

Two days ago an OU with 5000 workstaion object just
disappeared from AD. The party line we heard is that this
is common and can happen any time. Did anybody heared or
seen something like this.?My undestanding you have to dlet
an item for it to disappear.

Thanks For your help..
 
Marf said:
Two days ago an OU with 5000 workstaion object just
disappeared from AD. The party line we heard is that this
is common and can happen any time.
Click to expand...

"that you heard", From WHO? Who's party? Who's line is this anyway? <grin>

This is NOT normal -- it probably never "just happens" -- were this the
case,
Microsoft and other large companies could not use AD for their world wide
domains. Even small companies would go nuts if this were the case.

Somebody deleted (or move) it, accidentiall or on purpose or through some
manipulation of the AD and now is likely trying to cover up the mistake.

Did you look in "Lost and Found"? (View\Advanced if you don't see "Lost and
Found" at the top level of the Domain tree in AD Users/Computers.)

Have you searched for it? (In case someone "MOVED" it to another subOU
area?

Do the accounts still exist? (Can those folks still logon?)

Last resort AFTER you look for it is to do an authoritative restore (restore
subtree) from you backups.

(Anyone with 5000 workstation accounts obviously HAS a backup tape etc.)
Did anybody heared or
seen something like this.?My undestanding you have to dlet
an item for it to disappear.
Click to expand...

No.
 
It is time to turn up auditing, this does not just happen.
With that said, it happened to your environment.
Obviously someone isn't confessing to their sins.

Here is an idea, to cover yourself in the future take two machines
workstation class.
Install and dcpromo these guys.
Next move them into seperate sites as shown below..
Core Hub ----(7day repl intervals)---Latent Site 1 -----(7day repl
intervals)-----Latent Site 2

when the mysterious phantom strikes again, and they will (Not the system)
you can go to the latent site and reboot into DS Restore and perform an
Authoritative restore by incrementing the USN's by 1000 to 2000 on all those
mysteriously disappearing objects.

Next, look for a tool called tombstone or something similiar. dump the
deleted (Tombstoned objects). bet you find 5000 plus objects that were
"Deleted".

Finally, offer to update someones resume for them, once you find the
culpirit.

Jeremy
 
He just posted and disappeared -- I didn't see your response until
today either.

--
Herb Martin
Jeremy said:
It is time to turn up auditing, this does not just happen.
With that said, it happened to your environment.
Obviously someone isn't confessing to their sins.

Here is an idea, to cover yourself in the future take two machines
workstation class.
Install and dcpromo these guys.
Next move them into seperate sites as shown below..
Core Hub ----(7day repl intervals)---Latent Site 1 -----(7day repl
intervals)-----Latent Site 2

when the mysterious phantom strikes again, and they will (Not the system)
you can go to the latent site and reboot into DS Restore and perform an
Authoritative restore by incrementing the USN's by 1000 to 2000 on all those
mysteriously disappearing objects.

Next, look for a tool called tombstone or something similiar. dump the
deleted (Tombstoned objects). bet you find 5000 plus objects that were
"Deleted".

Finally, offer to update someones resume for them, once you find the
culpirit.

Jeremy
Click to expand...
 
Back
Top