ï
Excellent post.
I just wanted to jump in and reemphasize that
point.
Restoring a single domain of a forest in an isolated
environment and expecting it to work is unrealistic. I agree with Guido in that
you never should have been given admin rights into a domain of someone else's
forest. You should have had OU privileges or just had your own forest entirely.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, March 25, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery >>Ad is supposed to be a enterprise
directory where most enterprises span the globe and have multiple sister corps
or corps they've merged with or aquired. these corps have thier own domains and
IT depts.<<
That's not how AD is supposed to be - that's merely how
you'd like to use it. Not necessarily the same. I agree that some
companies may implement it this way especially in the early days of AD, but not
after they understood that not the domain, but the forest is the security
boundary.
If you have no good working relationship with your mother
corp and they're not really too fond of you either, they should have never
offered you your own domain. You would have been a perfect candidate for a
separate forest. However, if they still wanted to fully integrate you into their
forest without trusting you to perform service-level operations (i.e. task that
require domain admin privileges), they would have merely required to grant you
management of one or a few OUs.
If you like it or not, recovery of AD - in case of the
disaster you describe, or in other disasters that go more towards deletion of
objects - is an forest level task that usually requires enterprise admin
privileges. I am not saying, that I don't think it would be nice if this
wasn't the case, but once you learn to treat a domain as an integral part of a
forest that should not be managed by a separate team of administrators, it
doesn't make a difference.
/Guido From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Donnerstag, 25. MÃrz 2004 18:56 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery going to AD was something decided by the higher ups to merge my corp and
our sister corp into a smealess whole. The sister corp already had AD in place
and they own the root. our IT depts. don't exactly communicate or relate to each
other very well :)
i'm sure its like that in alot of places. before comming here, I was in a
Netware 6.0 enviorment and feel that directory is much more mature in terms of
configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS.
its just that when my corp wants to do DR testing for our domain and we go
away to the dr site and want to recreate most of our infrastructure from back
up, etc, its fursttrating to have to go to our sister corp IT dept and ask them
for the Domain admin or enterpris admin password or a copy of thier root role
holding master dc on a laptop or vmware just to practise recovery of our domain
and exchange2k.
it seems MS made it so you can't recover a child domain without
connectivity to the root. that kinda stinks.
i can understand losing some functionality but still be up and running.
however to make it impossible to get up at all without the root fsmo dc is I
think something that needs to be addressed.
in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and
want to recover them OR you lost the entire forest. they really don't address
losing a child domain.
Ad is supposed to be a enterprise directory where most enterprises span the
globe and have multiple sister corps or corps they've merged with or aquired.
these corps have thier own domains and IT depts. If one corp goes down, in MS's
implementation, this corp has to get in touch with the IT dept of the root, be
allowed high access to the forest OR have someone from that other IT dept free
enough to come down for security reasons and log in himself as enterprise admin.
also some physical connectivity is implied...
All in the middel of a disaster OR just to test and practice for said
disaster.
thats asking for alot of any large company.
MS should know how unrealistic this is more than anyone.
my pointless two cents.
thanks for reading and replying before
|
Title: [ActiveDir] disaster recovery
- [ActiveDir] disaster recovery Kern, Tom
- RE: [ActiveDir] disaster recovery Kern, Tom
- RE: [ActiveDir] disaster recovery Anderson Santos Patricio
- RE: [ActiveDir] disaster recovery Kern, Tom
- RE: [ActiveDir] disaster recovery Mulnick, Al
- RE: [ActiveDir] disaster recovery Kern, Tom
- RE: [ActiveDir] disaster recovery Salandra, Justin A.
- RE: [ActiveDir] disaster recovery Mulnick, Al
- RE: [ActiveDir] disaster recovery Kern, Tom
- RE: [ActiveDir] disaster recovery GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] disaster recovery Kern, Tom