an important factor is missing in this discussion -
the oportunity and costs for leveraging lagsites highly depends on
your forest structure. Even though you can use virtualization to reduce
the number of physical boxes required to host a DC in a lagsite, you still need
to host at least one per domain. As was pointed out before, if your goal was to
recover from accidental deletions it certainly makes even more sense if you use
two per domain with overlapping schedules in different sites, so that you'd
theoretically always have a window of opportunity to recover the data from a
lagsite even if the changes (such as deletion of objects) has just been
replicated into one of the lagsites.
the number of domains in your forest will not only increase
the number of (physical or virtual) DCs you need to host in your lagsite(s), but
as soon as you have more than one domain, the work to be done to recover the
objects and it's complexity increases dramatically due to the cross-domain
dependencies. You typically have to perform restore activities on a DC from
every domain (think "recovery of a user's group-membership" [1]). So what's
often fairly feasable for performing restores a single domain forest, can become
quite a pain point for multi-domain forests. In the end the full recovery of an
object involves so much work, that you'd rather not do it if "just a simple
user" is accidentally deleted. VIP users may be an exception and so will
the deletion of a whole OU. This is where
I'd say online recovery tools (such as those offered by NetPro and Quest) make a
big difference - these will take care of restoring the objects in a domain incl.
the necessary cross-domain data and you wouldn't hesitate to use them even for
the least important user or group or many other objects.
realize that no matter how many domains you have, a lagsite
can only protect you "so much" from accidental deletion. It doesn't offer full
protection from replicating unwanted changes into the lagsite - forced
replication doesn't care about a lagsite's schedule or about a disabled
connection object => you can still force bad changes into a lagsite anytime,
if the DCs are running and available on the NW. So you'd only gain real
protection by isolating the lagsite DCs from the NW (either done physically or
via some timed script that enables/disables the NIC).
this is not to say that I think lagsites (and specifically
running DCs in VMs in lagsites) shouldn't be used at all - you should just
realize that they may not be able to help for all DR occasions. They are sill a
helpful tool to ensure a fast recovery from other failures, such as
site-failures or potentially domain or forest failures (for single domain
forests even for object recovery). For multi-domain forests, they could well be
a part of your overall DR plan - but I also highly recommend checking out the
online recovery tools for those object (or attribute) recovery situations, that
potentially happen more often.
/Guido
[1]
if you're unaware of the issues with restoring group memberships in multi-domain
environments have a look at the following whitepaper:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Freitag, 3. März 2006 20:47
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites
I think you're trying to compare apples and oranges.
Yes, both solutions can help reduce the time it takes to perform a restore (give
a specific scenario), but that's basically it. Lag sites are single
snapshots based on the number of lag sites you deploy. The products you
mention below are true backup solutions that you could, if you wanted to,
perform hourly, daily, weekly, etc backups, all of which can be restored as
needed. They also typically allow attribute level
restores.
So if lag sites are N dollars and the software is Y dollars
it doesn't really say much. You need to evaluate your own restore
requirements and budget to determine what's best. It's my opinion most
customers don't need lag sites and that it's a distraction from the normal
backup processes they're probably failing to properly implement. But
that's just me.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Friday, March 03, 2006 1:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag SitesWhen talking about "a software solution to restore deleted objects" I know about:Netpro's RestoreADminQuest's Recovery Manage for ADI don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution.And for a hardware solution you can use:* just hardware, where you need at least 1 DC per domain in the lag site (for each day of the week that would be 7 DCs per domain) (not forgetting licensing for the server OS)* hardware combined with software (e.g. ESX/GSX or virtual server) (not forgetting licensing for the server OS and the the virtual solution)I'm very interested in hearing what folks have chosen and how much it costs and of course why that particular solution. Of course don't forget to mention the type of environment and sizebut let's start by pinging Rick...ping rick.kingslan.microsoft;-)jorge
From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Fri 2006-03-03 19:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag SitesI think Rick Kingslan did something like this with virtual machines. I'll ping him to see if he has any comment.Tony
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Saturday, 4 March 2006 5:17 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites7 lag sites? holy sh*t!would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes?jorge
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag SitesAs Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing.However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate every thursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion.What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD in the one of the Lag-Site. And I've even heard from someone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-)Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29 PM
To: Active
Subject: [ActiveDir] AD Lag SitesSingle Forest, Single Domain, W2K3 FFLI am thinking about setting up a lag site for DR purposes.Just for clarification purposes, would I need a separate IP subnet i.e IP subnet that isn't assigned to any other site in AD to create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes.Does anyone have any recommended guides to followthanks frank
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
