Yes and no. Thinking of AD as just a database with a bunch of records ignores some of the most complicated pieces, namely replication. We are fully multimaster with the understanding that we maintain loose consistency and support some other functionalities that make this even harder than it might have to be (harder than when just considering the notion of replication). This yields a series of nontrivial problems to solve in the restore. We already have a "retention period" of sorts: tombstone lifetime. We could retain more attributes on tombstones and help you with this. In fact, you can do this in your forest now through a minor schema change. This works well, but does not solve some harder problems like link value restore (as mentioned in my previous post). Those are still exercises "left to the reader", or the ISV in most cases. All of this is not to say that it can't be done, I just wanted to ensure you think through why it is tricky. :) I hear that ISVs have done a good job at tackling this problem today. I'd check out what they offer, perhaps there is something there that would do what you need. ~Eric
________________________________ From: [EMAIL PROTECTED] on behalf of Glenn Corbett Sent: Sat 12/4/2004 5:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore AD Al, Isn't the underlying technology and the recovery of the data essentially the same ?. All of the entries (both in Exchange and AD) are simply records within tables within a database. Exchange basically flags the mailbox record as deleted and then applies the defined mailbox retention settings to allow for recovery. Theoretically, it should be a similar process for AD to allow records to be deleted (a group, a user, an OU), and then apply a retention period to these object and allow them to be recovered. I for one would like to see this sort of functionality as well, as it would greatly simplify some of our Admin procedures where we have to hang onto a users account who's left for up to 3 months to allow for the instance where they come back. We have to hold these accounts in a separate OU, then have additonal processes to clean the accounts after a period of time. I would love to just delete the account and mailbox on the day they leave, and they have a defined period of time to recover the account before the automatic cleanup process of AD / Exchange finally deletes the objects. Would also help greatly for the finger-fumbles. G. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Saturday, 4 December 2004 7:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore AD I have not heard of anything like that directly from Microsoft. Been asking those same questions, but perhaps too quietly. I can tell you that one reason you won't see the same functionality as Exchange is that you're dealing with different technology underneath. What I mean by that is that you're just wiping out attributes and links based on that for an Exchange user, but the datastore (the users mail data) is still intact. You basically just lose reference to it. AD is the store where those references live. Up-level from Exchange if you will. So if you lose those references, you really have nothing. In order to make something useful for recovery, you'd have to maintain that information somewhere and keep it in relation to the original object. That said, there are third-party apps that can provide this type of functionality for you. That may be enough for many. Just seems it's about time that this functionality gets introduced natively. My $0.02 Al List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
