Darren, thanks for the very informative post reply. you seem only to confirm my views of what should be a relatively simple task is not so - although happy to see this complexity reduced with GPMC does not nothing to dispel my opinion that Microsoft seem incapable of delivering finished products !
Thanks again GT ----- Original Message ----- From: "Darren Mar-Elia" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 17, 2003 9:30 PM Subject: RE: [ActiveDir] authoritative GPO restore Graham- You're absolutely rigth about the dependencies between the AD and SYSVOL portions of a GPO. As you probably have noticed, the AD portion is stored in the Domain NC under SYSTEM\POLICIES\<GUID OF GPO> and the SYSVOL part is in SYSVOL\POLICIES\<GUID OF GPO>. The AD portion, formerly called the Group Policy Container (GPC) (until MS released the GPMC and decided they didn't like any of the old names for stuff (!)), contains attributes that reference the SYSVOL path, the version of the GPO and some other stuff. If for example, you have used software installation policy to deploy applications via GPO, then the GPC contains a set of AD object known as the Class Store, which contains packageRegistration objects for each app deployed. These objects reference application advertisement scripts (.aas) file stored in the SYSVOL portion of the GPO (aka the Group Policy Container or GPT). In terms of disaster recovery of an individual GPO, you're correct that authoritative restore isn't very flexible. Your steps below seem reasonable although I haven't used that mechanism to restore a single GPO before. Frankly, I think you're better off using Microsoft's free GPMC tool to do backup/restore of individual GPOs. Its easy to use, scriptable and restores individual GPOs with their original GUID intact. This is a lot more flexible than authoritative restore or any other mechanism that has to try and extract portions of a single GPO from backups of system state. Darren -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] authoritative GPO restore was hoping to get a bit more detail on the procedure of restore of a GPO and specifically the inter-dependencies of the sysvol folder data and AD data it would seem say in the scenario of an inadevertantly modified / deleted GPO (and which has been replicated throughout the domain) that it is not simply a matter of restore of the sysvol data, and that indeed it is required to go through a sequence along the lines of; boot into DS restore mode; restore system state to its original location restore system state to alternative location authoritatively restore the entire database (didn't understand this - i would have thought at most the object with the GUID of the GPO using restore subtree ?) restart the DC in normal mode and wait for the sysvol to mount then a copy of what looks to be like the folder of sysvol / policies with the GUID of the GPO from the alternative location have derived the above from the various papers on disaster recovery et al. hoping people can put any of the above right, especially with notes on the various interdependencies of the directory objects / file system contents relating to GPO List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
