" the whitepaper I'm working on with NetPro for AD recovery also contains those steps ;-)"
Or, at least it does now..... ;o) <j/k, Guido!> Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 11, 2005 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? the whitepaper I'm working on with NetPro for AD recovery also contains those steps ;-) we should clarify thatfor most other situations you do need to wait for the auth restore to replicated out, otherwise the group-adds (or other links) won't succeed in the other domains if you have any. In this case the tombstone hadn't replicated out so that the object already exists on all DCs. step 3.1 - reboot that original DC containing the tombstone on which the NW plug was pulled -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Freitag, 12. August 2005 02:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: > hopefully you have another Win2003 DC with SP1 => a non-SP1 2003 DC > would require you to perform more manual steps during the restore. As > you're still in mixed mode, none of your links are LVR (which means they > won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) > > 1. so boot another SP1 DC into DS Restore mode > 2. use ntdsutil.exe to auth restore that user's object > => with SP1, this step will create an LDIF file that will allow to > restore the groups etc. > it will be called > "ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf" > (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain > something similar to this: > > dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > delete: member > member: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > add: member > member: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > delete: manager > manager: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net > changetype: modify > add: manager > manager: > CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net > - > > If you have multiple domain, you may get more than one file (depends on > group-memberships of user and if you are doing the auth restore on a DC > or GC - you should choose a GC if you have more than one domain). All > you need to do after reboot is take that file and execute an LDIF import > command (on a DC that corresponds to the file's domain): > > Ldifde -i -k -f ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf > e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan > Sent: Freitag, 12. August 2005 01:35 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? > > OK This is what I was looking for, this site didn't actually have a > chance to repl out the delete so I just push back the 'good' state? > > So, if I understand I am supposed to: > > 1. reboot a good DC into DS Restore mode > 2. use ntdsutil.exe to auth restore that user's object. > 3. use ldifde to restore the links (not sure about this step...any more > info?) > > Bring my mistake DC back online, it tries to replicate, hits the Auth > Restore, and the delete gets tossed, my mistake is rectified, and no one > is the wiser... > > Yes? > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Thursday, August 11, 2005 2:56 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? > > I agree completely - that is the attraction of the lag sites - I have > something in which I can push a change back out from a time delayed > replica to where the object sill exists. > > And I agree as well - if there is a DC that has the object required - by > all means, repl it back out authoritatively. > > Rick > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Thursday, August 11, 2005 3:31 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? > > Hmmm, maybe I misunderstoood ... > > I understood he has a user deleted on some DCs, but not on others. He > doesn't want the user deleted. He can then just take a DC with the > user, auth restore the user, let that replicate out. Yes, the delete > change will try to replicate out, but when it hits the auth restore the > delete operation will essentially be tossed. > > I mean this is the whole attraction to hot sites is it not? Am I missing > something? > > Cheers, > BrettSh > > On Thu, 11 Aug 2005, Rick Kingslan wrote: > > > Brett, > > > > How is this going to help him get the DC back online that he yanked > > the cable on? As soon as that system is plugged back in, it's going > > to repl > out > > the change, no? > > > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > > Sent: Thursday, August 11, 2005 1:54 PM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? > > > > > > Well you're lucky that you yanked the network cable in time, now you > > don't have to do a system state restore to get the user back ... > > > > Find a DC where the user still exists in a pristine condition, all the > > > mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use > > ntdsutil.exe to auth restore just that user's object. > > > > You may (probably will) also have to restore links to that user, at > > this point it'd be nice if you were running on Win2k3 SP1, but if not > > it is still accomplishable. > > > > For Win2k3 Sp1, after auth restoring the user, there should be some > > ldf > > file(s) that will allow you to restore the links. Simply use ldifde, > > to apply these files to the appropriate DCs (up to one ldf per > domain). > > > > For pre this latest generation (which is more likely, because you > > could yank the net cable in time), you may have to find the objects > > that are linked to the user, and restore them yourself. You can do > > this by performing an LDAP operation that deletes and re-sets the > > links to that user. > > > > BTW, there is a more extensive KB article you might find useful: > > http://support.microsoft.com/?kbid=840001 > > > > Cheers, > > BrettSh > > > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > > > On Thu, 11 Aug 2005, Shadow Roldan wrote: > > > > > So I did a bad thing, I deleted a user at a different site and > > > marked his mailbox for deletion > > > > > > Immediately recognizing my mistake I *ran* to the server room and > > > yanked the network cable of the dc I was connected to. > > > > > > For now, none of the changes have replicated. > > > > > > I want to bring this machine back online, but I don't want those > > > changes to go through > > > > > > How would you make this happen? > > > > > > Thanks guys > > > > > > > > > > > > S > > > > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
