Hello Brett,
The pb was that one disk in my raid5 was corrupted. So i changed the disk and i checked that my raid 5 was OK via dell open manager.
But when restarting the DC,it shows a windows popup stated an error in lssass.exe and that i have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !!
But when restarting the DC,it shows a windows popup stated an error in lssass.exe and that i have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !!
When logging in dsrm mode, there was only the ntds.dit and the Edb*.log only, no edb.chk !!
So i restored system state but when the restore finished, there was no still edb.chk created in dsrm mode: a sematic checker shows a jet error stated that no transaction logs was found.
So i had 2 options:
1) restore ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log from my last full backup. This backup was done 5 days ago.
2) and i last force a demotion via ntdsutil
and delete all dns registrations,frs subscriptions, ad objects that points to this DC.
So i choose 1) and that works fine .... I was lucky !!
Brett, is there any MS documentations stated that this type of "dirty" restoration is unsupported ? I have not found any clue in ms technet.
And in my situation, what would you have done ?
Would the 2) be the best and supported solution than 1) ?
Thanks for advice.
Yann
Brett Shirley <[EMAIL PROTECTED]> a écrit :
BTW, if you have snapshot based backup you _can_ backup and just restore
only the AD data (dit, log, and chk), and it will work w/o USN rollback
correctly. We used to run quick tests like that all the time, but ONLY
validated that the DS / AD didn't break. That doesn't make it supported.
BTW, it is in fact _not supported_.
There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,
AuthZ, etc ... just about anything DS or security related) that may have a
dependency on some random part of AD and some random part of Registry data
staying in sync ... we don't know what breaks when you restore one w/o the
other ... this is why it is unsupported ... and almost completely untested
... but why let that dissuade you, you're a pioneer right. ;)
The most obvious case of this, would be if you restored a DIT from one
domain, to the DIT folder for a DC in another domain, replacing it's DIT.
Would that work, almost guaranteed there would be security issues.
That's of course the extreme case, and one easy to avoid, we don't know
the inbetween cases.
Cheers,
-BrettSh [msft]
On Fri, 18 Aug 2006, Yann wrote:
> Hello Jorge,
>
> Thanks for clarification.
> I will check next week if i have no issues with usn rollback :( .
>
> Yann
>
> "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>a écrit :
> when a DC is restored from the system state (amongst others):
> * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master
> * the invocation ID of the AD DB is changed (which prevent USN rollbacks)
>
> so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gently....NOT SUPPORTED! ;-)
> And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info
>
> jorge
>
>
> ---------------------------------
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
> Sent: Tuesday, August 08, 2006 22:47
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] backup and restore AD.
>
>
>
> Hello,
>
> I had question about D backup & restore.
> It is possible to backup AD in 2 ways:
> 1) backup only the system state.
> 2) backup system state & file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log).
>
> MS states that u have to restore your AD by restoring the system state.
> But ,what about just restoring the AD working directory without system state ? I tested it and that works fine.
> So my question is:
> => In what circumstances do i have to choose a restore from system state or a restore from AD working directory.
>
> Thanks for clarification,
>
> Yann
>
>
> ---------------------------------
> Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
>
> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
>
>
>
> ---------------------------------
> Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
