Too Many Trusts
At a customer site they had not loaded SQL 2005 on the server so I said that I would do it as part of the install. However when it got to “Installing Local Groups” it just seemed to freeze. I tried a few different accounts and the same thing happened. And when cancelled it was taking for ever so I ended up rebooting before doing another install. A quick search showed that others had the same problem but when left it finished. Eventually found a KB article (910070) that explained that the setup program was trying to lookups and the time taken increases dramatically. This organisation had over 70 external trusts. This KB mentions a hotfix that you can request but then you have to slipstream it. There is another KB (818024) that mentions a registry setting to help when there are too many external trusts.
As time was limited I took the easy option for disconnecting the network! This meant having to do the install in a noisy computer room instead of remotely. Even then as we were using a domain user for the service account we had to re-enable the NIC for that look up and then switch it off again when it “froze”. Once the NIC was disabled it quickly bypassed the “Installing Local Groups”. It was fiddly as we had to do it three times during the install but better than waiting for it to do its checking. Weird setup program.
This problem reared its head again as the AD MP has a script to check trusts. This runs every 5 minutes with a timeout of 120 seconds. So we were seeing a number of script errors from the DCs. As a recommendation I change the script errors from warning to information (and did so on 2005 as well). A script that has a one off fail is not important as it could be that the server was busy. Only if the repeat count goes up is it important. Well these repeat counts were going up – every 5 mins and it was the trust script timing out.
The nice thing about 2007 is that it runs standard cscript. And from the alert you can see what the script is and the directory of where the script is located. Just navigate to that directory, drop to a command prompt (I always recommend using Cmdhere from the resource kit) and run the script as per the alert (with parameters as shown) and see what happens. In this case the script did finish but it took a while. A quick search for the monitor running the script and I created an override that increased the timeout to what we had seen. I also had to increase the time of the script being ran from 5 to 20 minutes. But as the customer said as they had not had a tool to monitor the trusts before even doing it once a day would be a big improvement.
I suspect most of you will not encounter that many external trusts but if you do you now know the answer.
- Posted in: System Center Operations Manager 2007