RE: [ActiveDir] disaster recovery

[joe]

Unfortunately no, no way to test in an isolated way like that without
bringing at least the root with you and probably any other domains.
 
I guess you need to find out how important this is. If it is truly critical
to know this will work in a disaster you need to do one of two things.
 
1. Get the folks with the Enterprise keys involved and do overall testing of
the whole solution.
2. Build your own forest and migrate to it and then set up trusts to the
other forest/domains that are needed.
 
I'm thinking honestly that the second answer is probably the right one
UNLESS the company is trying to collapse to a single IT group in which the
first option would be feasible. 
 
  joe
 
-------------
http://www.joeware.net <http://www.joeware.net/>    (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Saturday, March 27, 2004 7:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


Guido and Joe,
 
First of all, thank you for all your advice and help.
 
You guys are absolutely right, we should have never gotten a domain if they
didn't trust us with Enterprise admin rights over the forest. I assume they
can't shake the Win NT view of domains yet.
However this was a mangement issue and decsion. I just inherited all the
problems and fall out of said issue. I suppose it was a technological
solution to a political problem.
 Now i was just trying to figure out of there was any hack to restore a
child domain without root connectivity.
In a real disaster, I'm sure common sense would prevail over politics and we
would all work together, kinda like i imagined IT to be when i first got
into it. Innocent boy that i was....
 
In the interim I thought there might be some way to test a recovery without
the root.
Some reg key or dns record to copy over...
 
I guess not.
 
Than you both again for your help.

-----Original Message----- 
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 5:33 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Excellent post.
 
I just wanted to jump in and reemphasize that point.
 
Restoring a single domain of a forest in an isolated environment and
expecting it to work is unrealistic. I agree with Guido in that you never
should have been given admin rights into a domain of someone else's forest.
You should have had OU privileges or just had your own forest entirely. 
 
 
-------------
http://www.joeware.net <http://www.joeware.net/>    (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Thursday, March 25, 2004 2:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


>>Ad is supposed to be a enterprise directory where most enterprises span
the globe and have multiple sister corps or corps they've merged with or
aquired. these corps have thier own domains and IT depts.<<
 
That's not how AD is supposed to be - that's merely how you'd like to use
it.  Not necessarily the same.  I agree that some companies may implement it
this way especially in the early days of AD, but not after they understood
that not the domain, but the forest is the security boundary.  
 
If you have no good working relationship with your mother corp and they're
not really too fond of you either, they should have never offered you your
own domain. You would have been a perfect candidate for a separate forest.
However, if they still wanted to fully integrate you into their forest
without trusting you to perform service-level operations (i.e. task that
require domain admin privileges), they would have merely required to grant
you management of one or a few OUs.
 
If you like it or not, recovery of AD - in case of the disaster you
describe, or in other disasters that go more towards deletion of objects -
is an forest level task that usually requires enterprise admin privileges.
I am not saying, that I don't think it would be nice if this wasn't the
case, but once you learn to treat a domain as an integral part of a forest
that should not be managed by a separate team of administrators, it doesn't
make a difference.
 
/Guido

  _____  

From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of
Kern, Tom
Sent: Donnerstag, 25. MÃrz 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


going to AD was something decided by the higher ups to merge my corp and our
sister corp into a smealess whole. The sister corp already had AD in place
and they own the root. our IT depts. don't exactly communicate or relate to
each other very well :)
i'm sure its like that in alot of places. before comming here, I was in a
Netware 6.0 enviorment and feel that directory is much more mature in terms
of configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go
away to the dr site and want to recreate most of our infrastructure from
back up, etc, its fursttrating to have to go to our sister corp IT dept and
ask them for the Domain admin or enterpris admin password or a copy of thier
root role holding master dc on a laptop or vmware just to practise recovery
of our domain and exchange2k.
it seems MS made it so you can't recover a child domain without connectivity
to the root. that kinda stinks.
i can understand losing some functionality but still be up and running.
however to make it impossible to get up at all without the root fsmo dc is I
think something that needs to be addressed.
in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and
want to recover them OR you lost the entire forest. they really don't
address losing a child domain. 
Ad is supposed to be a enterprise directory where most enterprises span the
globe and have multiple sister corps or corps they've merged with or
aquired. these corps have thier own domains and IT depts. If one corp goes
down, in MS's implementation, this corp has to get in touch with the IT dept
of the root, be allowed high access to the forest OR have someone from that
other IT dept free enough to come down for security reasons and log in
himself as enterprise admin. also some physical connectivity is implied...
All in the middel of a disaster OR just to  test and practice for said
disaster.
thats asking for alot of any large company.
MS should know how unrealistic this is more than anyone.
 
my pointless two cents.
thanks for reading and replying before

-----Original Message----- 
From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Thu 3/25/2004 10:20 AM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Just out of curiousity, why did you deploy a forest root structure?  Why
didn't you go with a single domain structure?
 
Otherwise, Who manages the schema without the root?  Who manages the domain
naming master in your environment (both are at the root, right?)  Who
handles your time synch? Who holds the Enterprise Administrator permissions?
from:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/support/adrecov.mspx
 
"Important: Backup data from a DC can only be used to restore that DC. You
cannot use a backup of one DC to restore another. To have your environment
completely backed up, you would need to have a backup of every domain
controller. This should be kept in mind while developing your backup
strategy. The minimum requirement should be to backup all the OM role
holders and GCs. Also the first domain controller in the root domain should
always be backed up."
 
"Note: Because this procedure requires modifying the configuration naming
context, it requires Enterprise Administrator permissions."
 
 
 
Switching to something that works for you is certainly an understandable
path to take but only if you understand that product better AND it solves
your issues.  IT is not about technology for technology sake it's about
solving your business issues.  If you need something else to make that
happen, I'd be the first to tell you to go do it. 
 
This thread comes across as sticker shock as you go to do this.  This is
also why you want to practice this stuff all the time; that way you are not
surprised at 0200 when everything is down.
 
 Al

  _____  

From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 5:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i don't need the schema or domain naming roles to restore my domain. i have
all the other roles. 
yet it still has issues with finding a gc or replicating within a domain.
why?
 
this is a fundemental design flaw of AD. It boggles the mind. If in a real
disaster or even a test, MS expects you to have connectivity to  your root
domain wherever it may be(on the other side of the world) AND access to that
domains Admin passwords or accounts OR enterprise admin just to get up and
running, then they are clearly not living in this world.
AD was meant for the enterprise where a corp could have offices and domains
all over the world. if in the event of disaster, we have to worry about isdn
or T1 lines to the root and overcome all the politics of diff IT depts and
security to beg for the enterprise password(even just for a simple test)
JUST to get functional(not add or delete domains or modify the schema), then
i'm ready to ditch AD for NDS or something more realistic.
what other reason could I have to connect to the root? what other secrets
does it hold aside from the 2 roles?
does anyone know?
why doesn't MS tell you these things in their DR documentation? is it so
obivious?
why is connectivity to the root never mentioned as key?
am i the idiot?
i'm willing to accept that, but what else does the root dc hold in terms of
AD functionality?
thank you for all your help so far.

-----Original Message----- 
From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 4:28 PM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


No, you need the root domain as it holds some of the roles etc.
 
In order for this to work, you need to restore the root domain as well.
I've found that doing this with a virtual server is sometimes easier but
that just saves on hardware requirements.
 
 
Al

  _____  

From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 3:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


yes. 
a quick question- can one restore an entire child domain without
connectivity to the root domain?

-----Original Message----- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:58 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


You Zones is setting for Dynamic Updates = YES???
 
 

  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have
it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test DC
also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. is
this normal?
thanks for your reply

-----Original Message----- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp will ..
 
In Windows 2000 is interesting you have a secondary zone of your root in
your local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this zone is
replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
 <blocked::mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified Systems Administrator on 2003/2000

Red Hat Certified Technician

 

 

  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i also get a "all gc's are down" error.
gc records are just registered in the root domain, i assume. i only have a
dns for my domain.
also dcdiag output says "the server is not responding to directory service
requests" though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how can i
get this? can i export it to a text file and import it into my dns server?
can i somehow pull it from the config container in AD without being
connected to the root of the tree?
is this the cause of my woes?
 
it would be insane on MS's part to demand connectivity to the root of the
forest when restoring or doing DR on AD.
what did i screw up?
 
Thanks again for any help

-----Original Message----- 
From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] disaster recovery



I just restored AD. I had a test laptop, pulled it off the network, ran
ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old
dc's. deleted them with adsiedit and all dns records as well.

then at the DR site, i set up new servers with the same names as the old
one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i
try to force a replication.

also, they fail a dcdiag because the guid dns name is not present and the
server "fails a directory request" 
Also the srv records for kerberos and kpasswd do not appear in dns for my
domain. 
The test laptop had an AD intergrated dns zone pulled directly from my real
network. However, it just has the zone for my domain, not the forest root.

do i need this record as well to promote DC's. I'm not connected to the
forest anyway, but should i have the forest root records too.

what am i doing wrong? 
thanks 
.+wYØP×.+j joryIV+v* 

<<attachment: winmail.dat>>