I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study.... heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites He does NOT "have to save the company money", he says. That's MY money you are talking about there, bucko! :) Seriously, Todd, you do have to understand that a vast majority of IT shops don't have budget for their IT folks to be as productive as they desire to be. This is why people tend to be as creative and conservative as possible. They want to stay as native as humanly possible and as painful as the exercise tend to be, they typically can't do anything about it. When management expects you to squeeze water out of rocks, you hardly have much options. The "Lag Site" concept is not a replacement for specialized recovery solutions. But, the concept came about as a result of people realizing that, much as they like the Quests and Netpros of this world, the steep price associated with them makes those products out of reach. If you've seen the "California Cows" commercials, you will begin to understand how much people salivate over professional tools. So, what's a poor admin to do? Especially when his/her CIO has just played golf with a buddy who has just read something from, say, Gartner, preaching the benefits of "DR", and the CIO now wants DR implemented like, oh, say, one week ago without any additional funding? "Lag Sites" are NOT as expensive as any of the other options. Where budget constraint is a factor, the "Lag Site" concept is the next best thing for any AD Admin. The fact that it requires some expertise to successfully implement and utilize IS a big plus rather than a drawback. If you are going to administer any sizeable enterprise where DR is essential, you better start knowing something about the inner workings of the things you are claiming to be administering. Come to think of it, the vendors who market these specialized recovery tools are not engaged in voodoo. By learning how things work, you may not need to pay their "protection" money any longer. OK, now I've said too much ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CC/DNA) [E] Sent: Mon 3/6/2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I don't really look at problems from the "Trying to Save Money Approach".... I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineer's so I want a solution that offers value to operators. The standard "Free" AD solution to restore objects has a lot of CLI, it doesn't restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a "unnatural way", it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation... (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all objects and attributes, as well as groups and their memberships. I can restore these objects at the site the user resides, I don't have to reboot a DC to do this operation, and I free up the engineer to be an engineer not an operator. So my priorities are different than yours..... and so are my responsibilities. I don't have to save the company money. Notice I didn't say lag sites don't work, but the number of steps involved to do an authoritative restore compared to using a third-party product designed for the job and the possible end results are akin to shooting a bullet and throwing one. Yeah you probably hit the target both ways.... But I think my way is more accurate, has better range, and gets the job done a lot faster and has the potential to be more effective with less skill. Todd Myrick ________________________________ From: Frank Abagnale [mailto:[EMAIL PROTECTED] Sent: Saturday, March 04, 2006 5:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites Todd, You mentioned 'potentially has the ability to create more problems' Could you outline the problems that are on your mind? I see Lag Sites as a solution to save the business money from purchasing a solution, but I still need to think about business risk if such a solution was to be implemented. Frank "Myrick, Todd (NIH/CC/DNA) [E]" <[EMAIL PROTECTED]> wrote: Agreed. Not a big fan of the "Lag-Site", I think it potentially has the ability to create more problems. At least MS added some limited functionality in 2003, now if they would just finish the job in Vista this topic might goto rest. (Are you there Stewart?) I do see value in Creative Subnetting, when it comes to establishing multiple sites on a physical network segment to get the KCC to replicate in a more deterministic manner. Fun to do in the classroom too when teaching subnetting. Todd Myrick ________________________________ From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site.. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate every thursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD in the one of the Lag-Site. And I've even heard from someone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz <http://tinyurl.com/44zcz> Weblog: http://msmvps.org/UlfBSimonWeidner <http://msmvps.org/UlfBSimonWeidner> Website: http://www.windowsserverfaq.org <http://www.windowsserverfaq.org/> Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, March 03, 2006 4:29 PM To: Active Subject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.e IP subnet that isn't assigned to any other site in AD to create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank ________________________________ Relax. Yahoo! Mail virus scanning <http://us.rd.yahoo.com/mail_us/taglines/virusall/*http:/communications.yahoo .com/features.php?page=221> helps detect nasty viruses! ________________________________ Brings words and photos together (easily) with PhotoMail <http://us.rd.yahoo.com/mail_us/taglines/PMall/*http:/photomail.mail.yahoo.co m> - it's free and works with Yahoo! Mail. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
