I am thinking this wouldn't be a good technique for feeling safe about deleting user accounts. Either disable them or disable them and throw them into an OU that no one except say ent admins have access to; ditto for computer accounts. As for security groups, convert them to DLs. If you need them back, you convert them back to security groups.
For pretty much anything else, throw them into deep dark protected OU. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 05, 2004 1:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authoritative Restores I'd appreciate some comments on this technique as a cheap and cheerful disaster recovery plan for making minor changes to AD, e.g. deleting user accounts. Make sure one DC is fully synchronised and then shut it down. Delete a user account on another DC, deletion replicates everywhere. Oh no! That user account was used as the service account for 300 SQL servers worldwide. Bring the powered-down DC up in DS Restore mode. Do an authoritative restore of the AD database (*without* first doing a non-authoritative restore). Server reboots to normal mode, deleted user account that still exists here is now marked as authoratative and replicates back to the other DC's (Yes?) I've never before considered doing an authoritative restore without doing a non-authoritative one beforehand so just want to check my logic on this. Cheers, Simon . .+-j! 0j! or yïíIãV+v* List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
