I like the idea... Don't delete it unless you really don't want it anymore. :o)
I take NTBACKUP systemstate dumps and hope I never have to use them. Once I get my virtual server DR solution up and running I don't expect I will have to. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, March 04, 2004 7:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [ActiveDir Digest] If I could correct one thing Neil..... > 1. Deleted objects can be re-animated from another DC which has yet to > receive the deletion event, perhaps because that DC is in a site which > only replicates with it partner sites at certain times of the day. That's not a reanimation. This would be marking them as authoritative such the USNs are bumped up and they replicate out over the deletion of the object. I make the distinction because you can reanimate a tombstone in w2k03 using tombstone reanimation (new API available). Just wanted to keep it clear. There are some issues with this approach that make it tricky sometimes, but if you have it set up well and catch it quick enough, simply marking the objects as authoritative can do it. Further, you may need to mark other things as authoritative too (I'll leave the definition of "other things" to the reader as it is tricky to try and define in one paragraph). This is, at best, a non-trivial problem. There are a few issues that haven't been mentioned here: 1) Group membership across the NC boundary 2) DN references both intra- and inter-domain. If I could mention the obvious: the best way to back up your DC is to....take a backup. For some reason no one has mentioned good 'ol ntbackup. It gets the job done. To auth restore an object, sure you need to system state restore a box, but you're restoring to itself so (hopefully) that isn't too painful. One other thing not mentioned: what are you recovering from. If you lose a dc and it is the only one, sure you need to restore it. If you lose a dc and you have others, I would say it is best to perform a metadata cleanup and re-promote the machine. That will be far easier more often than not if it is an option. ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, March 04, 2004 3:36 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] [ActiveDir Digest] This question can be answered in an number of ways, depending upon the nature of the issue that one is trying to mitigate against. 1. Deleted objects can be re-animated from another DC which has yet to receive the deletion event, perhaps because that DC is in a site which only replicates with it partner sites at certain times of the day. 2. Failed DC hardware can be mitigated against by simply deploying more than one DC. Obviously, if a site has only one DC and it fails, then all requests will go to the 'nearest' site DC/GC, as per the defined site topology. 3. Disaster recovery on the other hand, is a different matter. If the AD has to be rebuilt from scratch due to a corrupt Schema for example, then one needs to build new DCs and restore AD from backup tape etc etc. MS have published a paper detailing how this may be done, but the process will need to be tailored to meet the needs and demands of your own business. This is a huge issue and I'm sure there are more scenarios which I've missed, that others can shed light on. [The paper which Guido mentions, being one such additional source.] I hope this is of some use, Neil Ruston (MCSE, MVP (Active Directory)) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 04 March 2004 04:07 Subject: [ActiveDir Digest] --------------------------------------------------------- From: "GRILLENMEIER,GUIDO (HP-Germany,ex1)" <[EMAIL PROTECTED]> Subject: RE: [ActiveDir] Protecting Active Directory Date: Wed, 3 Mar 2004 09:00:56 +0100 Reply-To: [EMAIL PROTECTED] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C400F5.A7ABE286 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable will only be good for restoring the DC hardware, but depending on your = setup won't be sufficient to fully recover accidentally deleted objects. =20 I've worked with Aelita on this whitepaper to discuss the potential = issues: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active = _Dir ectory_Recovery.pdf <http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Activ = e_Di rectory_Recovery.pdf>=20 =20 /Guido _____ =20 From: joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. M=E4rz 2004 02:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protecting Active Directory 1. Multiple DCs in diseparate locations. =20 2. Virtual DC for each domain that is shut down nightly and the disk = file for each is copied to some other location.=20 =20 ------------- http://www.joeware.net <http://www.joeware.net/> (download joeware) http://www.cafeshops.com/joewarenet = <http://www.cafeshops.com/joewarenet> (wear joeware) =20 =20 =20 _____ =20 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Tuesday, March 02, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Protecting Active Directory Importance: High What is the best way to backup your domain controller so you can = restore it in a disaster situation. ======================================================================== ====== This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ======================================================================== ====== List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/