RE: [ActiveDir] AD lag sites and replication

2006-05-31 Thread neil.ruston 
Thanks Mark.

I'll take a look at that option...

As to why I feel this may be an issue - let's just say I work in a company that 
has 4 autonomous infras today, which are all coming together soon under one new 
infra. [I'm the poor sucker tasked with designing this new infra as well as the 
new support model and policies and procedures etc etc!] There will be a number 
of service admins across the globe, most of which I have no jurisdiction over, 
as of today.

The level of trust between the 4 'areas' will likely grow in time, but 
initially we need to have a very strong degree of control and monitoring within 
the env so as to ensure that admins are doing what they are supposed to do and 
also that they are not impacting other areas. [To that end, I'm evalling 
various tools in spaces such as GPO, security monitoring and such like.]

I know this all sounds as tho we need to stick with multi forests until we have 
better collaboration and trust in place, but it's never that easy since 
politics is mixed in with technical arguments. The project described above is 
being used as a guinea pig or sounding board too. If we succeed, then we'll be 
used as an example for future global projects within the firm [no pressure 
then!]

Thanks to all for the great feedback.

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 30 May 2006 16:17
To: ActiveDir.org
Subject: Re: [ActiveDir] AD lag sites and replication

Neil,

You could always hack the replication epoch values - but then again..

M
-Original Message-
From: Dave Wade [EMAIL PROTECTED]
Date: Tue, 30 May 2006 14:36:34
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Al, 
  
Sorry, I mis-read it. I thought it was just controlling bandwith, but now I 
look its specific lag. However I still think that this could be dangerous and 
cause more problems than it solves. 
  
Dave. 
 
 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 30 May 2006 13:53
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD lag sites and replication

 
 
I think that's point, isn't it? To be able to have a site that lags the rest of 
them for replication changes? :) 
  
FWIW, there is no way that I'm aware of to prevent an admin from triggering 
replication in the sense that an admin could override any changes you make to 
be able that would otherwise allow them to trigger the replication.  While you 
may counter that you're just trying to prevent the admin from doing something 
easily i.e. make them work to override the change, I read into this that you 
want to absolutely prevent them from triggering replication. For that, you need 
to look outside the system they have rights on else change them from DA to OU 
admin. The other alternative is to trust them not to make that change without 
knowing what they're doing.  An easy argument that anyone with DA should be 
able to be that trusted, but reality often differs from desire. 
  
Admins, by design have rights to the system.  As such, they have rights to make 
those changes that allow them to, well, make changes. 
  
  
Al

  
On 5/30/06, Dave Wade [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  wrote: 
 
 
Neil, 
  
1) If you start setting firewall rules then I am pretty sure you will break 
things as you will block urgent replication. What happens if some one changes 
their password and then goes to the home site? What about group membership 
changes?  Do you really want to wait two days before you update these?. 
  
2) I don't think that normal admins can trigger unscheduled replication 
changes. Certainly I am a Domain Admin and I can't trigger replication changes 
on our infrastructure, but it is Windows/2000 
  
3) IMHO you would be better worrying about getting things to replicate when 
they are supposed to rather than things replicating when they shouldn't 
  
Dave
 
 

 
From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  [mailto: 
  [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. 
Simon-Weidner
 
Sent: 30 May 2006 11:32 

To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication
 

  
 
 
Hi Neil, 
  
I'd still go for a firewall with scheduled rules. IMHO there's no such thing as 
locked down replication schedules - as soon as someone is hitting a switch to 
force replication across sites. And the firewall will help you to assure no 
client is hitting a lag sites DC. 
Gruesse - Sincerely, 
 
Ulf B. Simon-Weidner 
 
  Profile  
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

 
 
 
 

 From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  [mailto: 
[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL

RE: [ActiveDir] AD lag sites and replication

2006-05-31 Thread Justin_Leney 
Return Receipt

   Your   RE: [ActiveDir] AD lag sites and replication
   document:

   wasJustin Leney/US/DCI
   received
   by:

   at:05/31/2006 09:37:26 AM







NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL. 
 FREE TRIAL AT HTTP://WWW.COSMEO.COM

This e-mail, and any attachment, is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged material. 
Any review, re-transmission, copying, dissemination or other use of this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and delete 
the material from any computer. The contents of this message may contain 
personal views which are not the views of Discovery Communications, Inc. (DCI).

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD lag sites and replication

2006-05-31 Thread joe 
Title: AD lag sites and replication



You can look at the ACLs on your NC Head objects to see who 
can do what, but last I checked, it didn't even take domain admins to force 
replication, a normal administrator account could do it. 

Anyway, an admin or a domain admin could always escalate to 
enterprise admin if they needed it. In my mind, anyone who has any of those 
admin IDs is an Enterprise Admin in my head. In fact even if they have Acc Op or 
Srv Op they are practically EAs. 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Wednesday, May 31, 2006 3:59 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Joe,
I thought" (and its a long time since I looked) that you needed to 
be an enterprise admin to force replication in AD Sites and Services... You can 
force replication in the domain context in replmon. I guess that this begs 
another question

1. Are you trying to stop replication in all replication 
contexts?

Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: 31 May 2006 00:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

I am confused by your #2. Are you saying that admins can't 
force replication outside of the normal replication 
periods?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Tuesday, May 30, 2006 6:59 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Neil,

1) If you start setting firewall rules then I am pretty 
sure you will break things as you will block urgent replication. What happens if 
some one changes their password and then goes to the home site? What about group 
membership changes?Do you really 
want to wait two days before you update these?.

2) I don't think that "normal admins" can trigger unscheduled 
replication changes. Certainly I am a Domain Admin and I can't trigger 
replication changes on our infrastructure, but it is 
Windows/2000

3) IMHO you would be better worrying about getting things to 
replicate when they are supposed to rather than things replicating when they 
shouldn't

Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 11:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Hi 
Neil,

I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down 
replication schedules" - as soon as someone is hitting a switch to force 
replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
  
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
  
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server 
  since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
  
  Also putting a 
  firewall with scheduled rules in between would work very well, especially 
  since you can block everything but RDP at the no-sync 
  times.
  
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B. 
  Simon-Weidner 
   Profile 
   Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to i

RE: [ActiveDir] AD lag sites and replication

2006-05-31 Thread Ulf B. Simon-Weidner 
Title: AD lag sites and replication








1)
We are talking about blocking
the replication to and from a lag-site, and the good thing about using a
firewall is that we are able to block users and memberservers authenticating against
the lag-site. You do not want anyone to authenticate against a lag-site DC. So
urgent replication is not a issue

2)
Agree to Joe here  Im quite
sure that the rights to force replication are available for at least
dom-admins, and Im very sure that no matter how many you have (OK  more than
yourself) they will forget not to trigger forced replication sometime.

3)
Lag-Sites dont make any sense
if they do replicate in between the scheduled times  so in this scenario you
may worry about both.





Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Tuesday, May 30, 2006 12:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication







Neil,



1)
If you start setting firewall rules then I am pretty sure you will break things
as you will block urgent replication. What happens if some one changes their
password and then goes to the home site? What about group membership changes?Do
you really want to wait two days before you update these?.



2)
I don't think that normal admins can trigger unscheduled
replication changes. Certainly I am a Domain Admin and I can't trigger
replication changes on our infrastructure, but it is Windows/2000



3)
IMHO you would be better worrying about getting things to replicate when they
are supposed to rather than things replicating when they shouldn't



Dave









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ulf B. Simon-Weidner
Sent: 30 May 2006 11:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication



Hi Neil,











I'd still go for a
firewall with scheduled rules. IMHO there's no such thing as locked down
replication schedules - as soon as someone is hitting a switch to force
replication across sites. And the firewall will help you to assure no client is
hitting a lag sites DC.



Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, May 30, 2006 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Thanks Ulf.









I was hoping to avoid NIC disabling and such like. I was looking
for a solution which would enforce the replication schedule between sites, such
that an admin could not 'over ride' it.











I'd rather handle the situation with procedures and policies than
use scripts to disable NICs (or connection objects) at scheduled times :)











neil











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ulf B. Simon-Weidner
Sent: 30 May 2006 09:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication



You are able to
disable the network interfaces, pretty easy with VMWare or Virtual Server since
you are able to do it from the host via scripting, bit more painfull if you
have to do it from the DC itself since you don't have any remote access when
the nic is disabled (you could use a scheduled task which runs netsh to
activate / deactivate the interface).











Also putting a firewall
with scheduled rules in between would work very well, especially since you can
block everything but RDP at the no-sync times.











As long as you
don't exceed the tombstone-lifetime I don't see any reasons why this should not
be supported since we are just talking about lag-sites without any
memberservers / clients / users who log onto those DCs.



Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

 Profile 
Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, May 30, 2006 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD lag sites and replication

I'm looking
to implement one or more lag sites, with staggered replication schedules. (i.e.
NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri
2-4 am).

We're
concerned that admins can still force replication outside of these hours using
repadmin or replmon etc. 

Is there a
(supported) way to ensure that replication can ONLY occur within the hours
described above? 

Thanks,

neil 



PLEASE
READ: The information contained in this e

[ActiveDir] AD lag sites and replication

2006-05-30 Thread neil.ruston 
Title: AD lag sites and replication






I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).

We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc.


Is there a (supported) way to ensure that replication can ONLY occur within the hours described above?


Thanks,

neil


PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Ulf B. Simon-Weidner 
Title: AD lag sites and replication



You are able to 
disable the network interfaces, pretty easy with VMWare or Virtual Server since 
you are able to do it from the host via scripting, bit more painfull if you have 
to do it from the DC itself since you don't have any remote access when the nic 
is disabled (you could use a scheduled task which runs netsh to activate / 
deactivate the interface).

Also putting a 
firewall with scheduled rules in between would work very well, especially since 
you can block everything but RDP at the no-sync times.

As long as you 
don't exceed the tombstone-lifetime I don't see any reasons why this should not 
be supported since we are just talking about lag-sites without any memberservers 
/ clients / users who log onto those DCs.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD lag sites and replication
  
  I'm looking to implement one or more lag sites, 
  with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 
  2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  We're concerned that admins can still force 
  replication outside of these hours using repadmin or replmon etc. 
  Is there a (supported) way to ensure that 
  replication can ONLY occur within the hours described above? 
  Thanks, neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies.

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread neil.ruston 
Title: AD lag sites and replication



Thanks Ulf.

I was 
hoping to avoid NIC disabling and such like. I was looking for a solution which 
would enforce the replication schedule between sites, such that an admin could 
not 'over ride' it.

I'd 
rather handle the situation with procedures and policies than use scripts to 
disable NICs (or connection objects) at scheduled times :)

neil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 09:01To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

You are able to 
disable the network interfaces, pretty easy with VMWare or Virtual Server since 
you are able to do it from the host via scripting, bit more painfull if you have 
to do it from the DC itself since you don't have any remote access when the nic 
is disabled (you could use a scheduled task which runs netsh to activate / 
deactivate the interface).

Also putting a 
firewall with scheduled rules in between would work very well, especially since 
you can block everything but RDP at the no-sync times.

As long as you 
don't exceed the tombstone-lifetime I don't see any reasons why this should not 
be supported since we are just talking about lag-sites without any memberservers 
/ clients / users who log onto those DCs.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD lag sites and replication
  
  I'm looking to implement one or more lag sites, 
  with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 
  2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  We're concerned that admins can still force 
  replication outside of these hours using repadmin or replmon etc. 
  Is there a (supported) way to ensure that 
  replication can ONLY occur within the hours described above? 
  Thanks, neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Ulf B. Simon-Weidner 
Title: AD lag sites and replication



Hi 
Neil,

I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down 
replication schedules" - as soon as someone is hitting a switch to force 
replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
  
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
  
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server 
  since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
  
  Also putting a 
  firewall with scheduled rules in between would work very well, especially 
  since you can block everything but RDP at the no-sync 
  times.
  
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B. 
  Simon-Weidner 
   Profile 
   Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to implement one or more lag sites, 
with staggered replication schedules. (i.e. NYC lag replicates tues and 
thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 

Is there a (supported) way to ensure that 
replication can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
is not, and should not be treated or relied upon as, 
investment 
research; (2) contains views or opinions that are solely those of 

the author and 
do not necessarily represent those of NIplc; (3) is intended 

for 
informational purposes only and is not a recommendation, solicitation or 

offer to buy or 
sell securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 

regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT 
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 
4NP. A member of the Nomura group of companies. 
  
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or ta

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Dave Wade 
Title: AD lag sites and replication



Neil,

1) If you start setting firewall rules then I am pretty 
sure you will break things as you will block urgent replication. What happens if 
some one changes their password and then goes to the home site? What about group 
membership changes?Do you really 
want to wait two days before you update these?.

2) I don't think that "normal admins" can trigger unscheduled 
replication changes. Certainly I am a Domain Admin and I can't trigger 
replication changes on our infrastructure, but it is 
Windows/2000

3) IMHO you would be better worrying about getting things to 
replicate when they are supposed to rather than things replicating when they 
shouldn't

Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 11:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Hi 
Neil,

I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33   AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
  
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
  
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server   since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
  
  Also putting a 
  firewall with scheduled rules in between would work very well, especially   since you can block everything but RDP at the no-sync 
  times.
  
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B.   Simon-Weidner 
   Profile 
   Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
    AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to implement one or more lag sites, 
with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 

Is there a (supported) way to ensure that 
replication can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
is not, and should not be treated or relied upon as, 
investment 
research; (2) contains views or opinions that are solely those of 

the author and 
d

Re: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Al Mulnick 
I think that's point, isn't it? To be able to have a site that lags the rest of them for replication changes? :)

FWIW, there is no way that I'm aware of to prevent an admin from triggering replication in the sense that an admin could override any changes you make to be ablethat would otherwise allow them totrigger the replication. While you may counter that you're just trying to prevent the admin from doing something easily 
i.e. make them work to override the change, I read into this that you want to absolutely prevent them from triggering replication. For that, you need to look outside the system they have rights on else change them from DA to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA should be able to be that trusted, but reality often differs from desire. 


Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. 


Al
On 5/30/06, Dave Wade [EMAIL PROTECTED] wrote:



Neil,

1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?
Do you really want to wait two days before you update these?.

2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000


3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't


Dave



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-Weidner
Sent: 30 May 2006 11:32
To: ActiveDir@mail.activedir.orgSubject:
 RE: [ActiveDir] AD lag sites and replication



Hi Neil,

I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 Profile  Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner Website: 
http://www.windowsserverfaq.org




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AM
To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication


Thanks Ulf.

I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it.


I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :)

neil



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication

You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface).


Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times.

As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs.

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 Profile  Publications:http://mvp.support.microsoft.com/profile="">
 Weblog: http://msmvps.org/UlfBSimonWeidner Website: 
http://www.windowsserverfaq.org




From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AM
To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication


I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).

We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. 
Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not co

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Dave Wade 



Al,

Sorry, I mis-read it. I thought it was just controlling 
bandwith, but now I look its specific lag. However I still think that this could 
be dangerous and cause more problems than it solves.

Dave.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 30 May 2006 13:53To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD lag sites and 
replication

I think that's point, isn't it? To be able to have a site that lags the 
rest of them for replication changes? :)

FWIW, there is no way that I'm aware of to prevent an admin from triggering 
replication in the sense that an admin could override any changes you make to be 
ablethat would otherwise allow them totrigger the replication. 
While you may counter that you're just trying to prevent the admin from doing 
something easily i.e. make them work to override the change, I read into this 
that you want to absolutely prevent them from triggering replication. For that, 
you need to look outside the system they have rights on else change them from DA 
to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA 
should be able to be that trusted, but reality often differs from desire. 

Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. 


Al
On 5/30/06, Dave Wade 
[EMAIL PROTECTED] 
wrote: 

  
  
  Neil,
  
  1) If you 
  start setting firewall rules then I am pretty sure you will break things as 
  you will block urgent replication. What happens if some one changes their   password and then goes to the home site? What about group membership changes? 
  Do you really want to wait two days before you update   these?.
  
  2) I don't think 
  that "normal admins" can trigger unscheduled replication changes. Certainly I 
  am a Domain Admin and I can't trigger replication changes on our 
  infrastructure, but it is Windows/2000 
  
  3) IMHO you would 
  be better worrying about getting things to replicate when they are supposed to 
  rather than things replicating when they shouldn't 
  
  Dave
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Ulf B. 
  Simon-Weidner
  Sent: 30 May 2006 11:32
  To: ActiveDir@mail.activedir.orgSubject: RE:   [ActiveDir] AD lag sites and replication
  
  
  
  Hi Neil,
  
  I'd still go for a firewall with 
  scheduled rules. IMHO there's no such thing as "locked down replication   schedules" - as soon as someone is hitting a switch to force replication   across sites. And the firewall will help you to assure no client is hitting a 
  lag sites DC. 
  Gruesse - 
  Sincerely, 
  Ulf B.   Simon-Weidner 
   Profile  
  Publications:http://mvp.support.microsoft.com/profile="">  Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
  
  


From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 
2006 10:33 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication 

Thanks 
Ulf.

I was hoping to avoid NIC 
disabling and such like. I was looking for a solution which would enforce 
the replication schedule between sites, such that an admin could not 'over 
ride' it. 

I'd rather handle the 
situation with procedures and policies than use scripts to disable NICs (or 
connection objects) at scheduled times :)

neil



From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication

You are able to disable the network 
interfaces, pretty easy with VMWare or Virtual Server since you are able to 
do it from the host via scripting, bit more painfull if you have to do it 
from the DC itself since you don't have any remote access when the nic is 
disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). 

Also putting a firewall with scheduled 
rules in between would work very well, especially since you can block everything but RDP at the no-sync times.

As long as you don't exceed the 
tombstone-lifetime I don't see any reasons why this should not be supported 
since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. 
Gruesse - 
Sincerely, 
Ulf B. Simon-Weidner 
 Profile  
Publications:http://mvp.support.microsoft.com/profile=""> 
 Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] [mailto:   [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTEC

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Coleman, Hunter 
Title: AD lag sites and replication



This may be further out on the unsupported limb than you 
want to crawl, but IIRC Deanreferenced an alternative to lag sites in his 
part of the joe and Dean show at DEC. You could schedule a script that toggles 
the replication epoch value and during "off-hours", nothing (and 
nobody)will be able to force replication without setting the epoch back 
first.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 2:33 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
AD lag sites and replication

Thanks Ulf.

I was 
hoping to avoid NIC disabling and such like. I was looking for a solution which 
would enforce the replication schedule between sites, such that an admin could 
not 'over ride' it.

I'd 
rather handle the situation with procedures and policies than use scripts to 
disable NICs (or connection objects) at scheduled times :)

neil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 09:01To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

You are able to 
disable the network interfaces, pretty easy with VMWare or Virtual Server since 
you are able to do it from the host via scripting, bit more painfull if you have 
to do it from the DC itself since you don't have any remote access when the nic 
is disabled (you could use a scheduled task which runs netsh to activate / 
deactivate the interface).

Also putting a 
firewall with scheduled rules in between would work very well, especially since 
you can block everything but RDP at the no-sync times.

As long as you 
don't exceed the tombstone-lifetime I don't see any reasons why this should not 
be supported since we are just talking about lag-sites without any memberservers 
/ clients / users who log onto those DCs.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  AD lag sites and replication
  
  I'm looking to implement one or more lag sites, 
  with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 
  2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  We're concerned that admins can still force 
  replication outside of these hours using repadmin or replmon etc. 
  Is there a (supported) way to ensure that 
  replication can ONLY occur within the hours described above? 
  Thanks, neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is soug

Re: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Mark Parris 
Neil,

You could always hack the replication epoch values - but then again..

M
-Original Message-
From: Dave Wade [EMAIL PROTECTED]
Date: Tue, 30 May 2006 14:36:34 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Al, 
  
Sorry, I mis-read it. I thought it was just controlling bandwith, but now I 
look its specific lag. However I still think that this could be dangerous and 
cause more problems than it solves. 
  
Dave. 
 
 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 30 May 2006 13:53
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD lag sites and replication

 
 
I think that's point, isn't it? To be able to have a site that lags the rest of 
them for replication changes? :) 
  
FWIW, there is no way that I'm aware of to prevent an admin from triggering 
replication in the sense that an admin could override any changes you make to 
be able that would otherwise allow them to trigger the replication.  While you 
may counter that you're just trying to prevent the admin from doing something 
easily i.e. make them work to override the change, I read into this that you 
want to absolutely prevent them from triggering replication. For that, you need 
to look outside the system they have rights on else change them from DA to OU 
admin. The other alternative is to trust them not to make that change without 
knowing what they're doing.  An easy argument that anyone with DA should be 
able to be that trusted, but reality often differs from desire. 
  
Admins, by design have rights to the system.  As such, they have rights to make 
those changes that allow them to, well, make changes. 
  
  
Al

  
On 5/30/06, Dave Wade [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  wrote: 
 
 
Neil, 
  
1) If you start setting firewall rules then I am pretty sure you will break 
things as you will block urgent replication. What happens if some one changes 
their password and then goes to the home site? What about group membership 
changes?  Do you really want to wait two days before you update these?. 
  
2) I don't think that normal admins can trigger unscheduled replication 
changes. Certainly I am a Domain Admin and I can't trigger replication changes 
on our infrastructure, but it is Windows/2000 
  
3) IMHO you would be better worrying about getting things to replicate when 
they are supposed to rather than things replicating when they shouldn't 
  
Dave
 
 

 
From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  [mailto: 
  [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. 
Simon-Weidner
 
Sent: 30 May 2006 11:32 

To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD lag sites and replication
 

  
 
 
Hi Neil, 
  
I'd still go for a firewall with scheduled rules. IMHO there's no such thing as 
locked down replication schedules - as soon as someone is hitting a switch to 
force replication across sites. And the firewall will help you to assure no 
client is hitting a lag sites DC. 
Gruesse - Sincerely, 
 
Ulf B. Simon-Weidner 
 
  Profile  
Publications:   http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org

 
 
 
 

 From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  [mailto: 
[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL 
PROTECTED]: mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 30, 2006 10:33 AM 
To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD lag sites and replication 

  
 
Thanks Ulf. 
  
I was hoping to avoid NIC disabling and such like. I was looking for a solution 
which would enforce the replication schedule between sites, such that an admin 
could not 'over ride' it. 
  
I'd rather handle the situation with procedures and policies than use scripts 
to disable NICs (or connection objects) at scheduled times :) 
  
neil 

  
 

 From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  [mailto: 
[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. 
Simon-Weidner
Sent: 30 May 2006 09:01
To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD lag sites and replication

  
 
You are able to disable the network interfaces, pretty easy with VMWare or 
Virtual Server since you are able to do it from the host via scripting, bit 
more painfull if you have to do it from the DC itself since you don't have any 
remote access when the nic is disabled (you could use a scheduled task which 
runs netsh to activate / deactivate the interface). 
  
Also putting a firewall with scheduled rules in between would work very well, 
especially since you can block everything but RDP at the no-sync times. 
  
As long as you don't exceed the tombstone-lifetime I don't see any reasons

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Molkentin, Steve 
Neil asked... 
  
 I'm looking to implement one or more lag sites, with 
 staggered replication schedules. (i.e. NYC lag replicates 
 tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  
 We're concerned that admins can still force replication 
 outside of these hours using repadmin or replmon etc. 
  
 Is there a (supported) way to ensure that replication can 
 ONLY occur within the hours described above? 

Tell them not to?

Seriously, if something is being put in place for a reason and it is
explained to them, why would they want to go and work against it? Isn't
the person implementing it someone in a position of authority to say
this is how we'll solve this problem?

As always... there are seldom good technological solutions to
behavioural problems.

Given this is all hypothetical, and yet to be a problem, but you get
what I am regurgitating here.

My $0.02 inc GST.

themolk.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Mark Parris 
Imagine a glass ceiling with a girl in a skirt standing on it\man in a kilt 
standing on it and you're standing under the ceiling someone tells you not to 
look up. Do you not lookup or at somepoint  lookup ? - even if you did not mean 
to - via a mirror or some other third party method. The fact that you can means 
at somestage you may do what you were not supposed to see even if if you had no 
intention of doing so. Applying this analogy to Mr Rustons scenario they may be 
trusted and do it or they may have no intention of doing so -  but have the 
interlect of a tibetian Yak and do it anyway. Another Guinness please..


-Original Message-
From: Molkentin, Steve [EMAIL PROTECTED]
Date: Wed, 31 May 2006 02:52:28 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Neil asked... 
  
 I'm looking to implement one or more lag sites, with 
 staggered replication schedules. (i.e. NYC lag replicates 
 tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  
 We're concerned that admins can still force replication 
 outside of these hours using repadmin or replmon etc. 
  
 Is there a (supported) way to ensure that replication can 
 ONLY occur within the hours described above? 

Tell them not to?

Seriously, if something is being put in place for a reason and it is
explained to them, why would they want to go and work against it? Isn't
the person implementing it someone in a position of authority to say
this is how we'll solve this problem?

As always... there are seldom good technological solutions to
behavioural problems.

Given this is all hypothetical, and yet to be a problem, but you get
what I am regurgitating here.

My $0.02 inc GST.

themolk.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[EMAIL PROTECTED])

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Ulf B. Simon-Weidner 
I have to agree to the second option - they may not even know that they do it. 
Over the time people tend to forget about lag sites, want to force replication 
once in a while, and what the ... Are those checkboxes in replmon for? Do I 
want the information to replicate across sites? Sure!
And right after hitting OK there's a head banging against the monitor-sound - 
Aahrg - Lag sites.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D   
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org


 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, May 30, 2006 7:26 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] AD lag sites and replication

Imagine a glass ceiling with a girl in a skirt standing on 
it\man in a kilt standing on it and you're standing under the 
ceiling someone tells you not to look up. Do you not lookup or 
at somepoint  lookup ? - even if you did not mean to - via a 
mirror or some other third party method. The fact that you can 
means at somestage you may do what you were not supposed to 
see even if if you had no intention of doing so. Applying this 
analogy to Mr Rustons scenario they may be trusted and do it 
or they may have no intention of doing so -  but have the 
interlect of a tibetian Yak and do it anyway. Another Guinness 
please..


-Original Message-
From: Molkentin, Steve [EMAIL PROTECTED]
Date: Wed, 31 May 2006 02:52:28
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Neil asked... 
  
 I'm looking to implement one or more lag sites, with staggered 
 replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 
 am; LON lag replicates mon, wed and fri 2-4 am).
  
 We're concerned that admins can still force replication outside of 
 these hours using repadmin or replmon etc.
  
 Is there a (supported) way to ensure that replication can ONLY occur 
 within the hours described above?

Tell them not to?

Seriously, if something is being put in place for a reason and 
it is explained to them, why would they want to go and work 
against it? Isn't the person implementing it someone in a 
position of authority to say this is how we'll solve this problem?

As always... there are seldom good technological solutions to 
behavioural problems.

Given this is all hypothetical, and yet to be a problem, but 
you get what I am regurgitating here.

My $0.02 inc GST.

themolk.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[EMAIL PROTECTED]
r¯zm§ÿðÃœ¶+Þv*è®æ—ûa­æ±«)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Al Mulnick 
While I agree that it could happen by accident, I think having that admin poking around and doing such things is likely not the person I want on my admin team. Credentials would be a tougher[1] thing to come by if that were expected behavior. 


[1] thinkborrowing all the gold of Africa difficult

Nonetheless, if it's not prevented from happeningit must not be a real requirement, just like in the real world right? :) Kind of like having a rule but not enforcing it. 
On 5/30/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:
I have to agree to the second option - they may not even know that they do it. Over the time people tend to forget about lag sites, want to force replication once in a while, and what the ... Are those checkboxes in replmon for? Do I want the information to replicate across sites? Sure!
And right after hitting OK there's a head banging against the monitor-sound - Aahrg - Lag sites.Gruesse - Sincerely,Ulf B. Simon-WeidnerProfile  Publications: 
http://mvp.support.microsoft.com/profile="">Weblog: http://msmvps.org/UlfBSimonWeidnerWebsite: 
http://www.windowsserverfaq.org-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Mark ParrisSent: Tuesday, May 30, 2006 7:26 PMTo: ActiveDir.orgSubject: Re: [ActiveDir] AD lag sites and replicationImagine a glass ceiling with a girl in a skirt standing on
it\man in a kilt standing on it and you're standing under theceiling someone tells you not to look up. Do you not lookup orat somepointlookup ? - even if you did not mean to - via amirror or some other third party method. The fact that you can
means at somestage you may do what you were not supposed tosee even if if you had no intention of doing so. Applying thisanalogy to Mr Rustons scenario they may be trusted and do itor they may have no intention of doing so -but have the
interlect of a tibetian Yak and do it anyway. Another Guinnessplease..-Original Message-From: Molkentin, Steve 
[EMAIL PROTECTED]Date: Wed, 31 May 2006 02:52:28To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication
Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
 We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur
 within the hours described above?Tell them not to?Seriously, if something is being put in place for a reason andit is explained to them, why would they want to go and work
against it? Isn't the person implementing it someone in aposition of authority to say this is how we'll solve this problem?As always... there are seldom good technological solutions to
behavioural problems.Given this is all hypothetical, and yet to be a problem, butyou get what I am regurgitating here.My $0.02 inc GST.themolk.List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx[EMAIL PROTECTED]ËŠËE¬§â²Ö«r¯zm§ÿðÃœ¶+Þv*èæ—ûa­æ±«)List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Mark Parris 
Al,

Could you please translate the English into English?

Mark

-Original Message-
From: Al Mulnick [EMAIL PROTECTED]
Date: Tue, 30 May 2006 18:05:06 
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD lag sites and replication

While I agree that it could happen by accident, I think having that admin 
poking around and doing such things is likely not the person I want on my admin 
team.  Credentials would be a tougher[1] thing to come by if that were expected 
behavior. 
  
[1] think borrowing all the gold of Africa difficult 
  
Nonetheless, if it's not prevented from happening it must not be a real 
requirement, just like in the real world right? :)  Kind of like having a rule 
but not enforcing it. 

  
On 5/30/06, Ulf B. Simon-Weidner [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] 
 wrote: I have to agree to the second option - they may not even know that 
they do it. Over the time people tend to forget about lag sites, want to force 
replication once in a while, and what the ... Are those checkboxes in replmon 
for? Do I want the information to replicate across sites? Sure! 
And right after hitting OK there's a head banging against the monitor-sound - 
Aahrg - Lag sites.

Gruesse - Sincerely,

Ulf B. Simon-Weidner

Profile  Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D: 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
Weblog: http://msmvps.org/UlfBSimonWeidner: 
http://msmvps.org/UlfBSimonWeidner 
Website: 
http://www.windowsserverfaq.org: http://www.windowsserverfaq.org 




-Original Message-
From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] 
[mailto:
[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Mark Parris
Sent: Tuesday, May 30, 2006 7:26 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] AD lag sites and replication

Imagine a glass ceiling with a girl in a skirt standing on 
it\man in a kilt standing on it and you're standing under the
ceiling someone tells you not to look up. Do you not lookup or
at somepoint  lookup ? - even if you did not mean to - via a
mirror or some other third party method. The fact that you can 
means at somestage you may do what you were not supposed to
see even if if you had no intention of doing so. Applying this
analogy to Mr Rustons scenario they may be trusted and do it
or they may have no intention of doing so -  but have the 
interlect of a tibetian Yak and do it anyway. Another Guinness
please..


-Original Message-
From: Molkentin, Steve 
[EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] 
Date: Wed, 31 May 2006 02:52:28
To:ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD lag sites and replication 

Neil asked...

 I'm looking to implement one or more lag sites, with staggered
 replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4
 am; LON lag replicates mon, wed and fri 2-4 am). 

 We're concerned that admins can still force replication outside of
 these hours using repadmin or replmon etc.

 Is there a (supported) way to ensure that replication can ONLY occur 
 within the hours described above?

Tell them not to?

Seriously, if something is being put in place for a reason and
it is explained to them, why would they want to go and work 
against it? Isn't the person implementing it someone in a
position of authority to say this is how we'll solve this problem?

As always... there are seldom good technological solutions to 
behavioural problems.

Given this is all hypothetical, and yet to be a problem, but
you get what I am regurgitating here.

My $0.02 inc GST.

themolk.
List info   : http://www.activedir.org/List.aspx: 
http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx: 
http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.activedir.org/ml/threads.aspx: 
http://www.activedir.org/ml/threads.aspx 

[EMAIL PROTECTED]
r¯zm§ÿðÃœ¶+Þv*è®æ—ûa­æ±«)

List info   : 
http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx: 
http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspx
: http://www.activedir.org/ml/threads.aspx 

 [EMAIL PROTECTED])

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread Mark Parris 
Title: RE: [ActiveDir] AD lag sites and replication






In a company that potentially has more users than some small countries - work it out applying the same logic - let's grant the permission to reset any password to any user.

Seriously, if something is being put in place for a reason and it is

explained to them, why would they want to go and work against it? Isn't

the person implementing it someone in a position of authority to say

this is how we'll solve this problem?

In this scenario the admin is a lazy mother and does not want to restrict password resets - but he can - so reiterating the original question HOW CAN I RESTRICY REPLLICATION? - 

PEOPLE AND PROCESS are two different animals and if you cant you wont if you can you might!!!




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Molkentin, Steve
Sent: 30 May 2006 17:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Neil asked... 

 

 I'm looking to implement one or more lag sites, with 

 staggered replication schedules. (i.e. NYC lag replicates 

 tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).

 

 We're concerned that admins can still force replication 

 outside of these hours using repadmin or replmon etc. 

 

 Is there a (supported) way to ensure that replication can 

 ONLY occur within the hours described above? 

Tell them not to?

Seriously, if something is being put in place for a reason and it is

explained to them, why would they want to go and work against it? Isn't

the person implementing it someone in a position of authority to say

this is how we'll solve this problem?

As always... there are seldom good technological solutions to

behavioural problems.

Given this is all hypothetical, and yet to be a problem, but you get

what I am regurgitating here.

My $0.02 inc GST.

themolk.

List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread joe 
I would visualize scripts/tools/applications that the admins don't really
understand. Possibly it slipped through the integration team without them
really understanding how it works. (that never happens huh??) Say an app
that does a user creation and the developers figured that they want that ID
everywhere quick so it then forces replication which isn't documented
(because vendors don't always actually document what their apps do). 

While I agree that you should be able to trust your admins, for something
like this and you shouldn't be using anything you don't understand
completely but I would also look for a means to protect myself if it were
possible. Certainly it shouldn't be something that you say Wow, since I
have that, I can give Elmer Fudd the keys to the castle, anyone who is
familiar with me knows I wouldn't say that. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve
Sent: Tuesday, May 30, 2006 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD lag sites and replication

Neil asked... 
  
 I'm looking to implement one or more lag sites, with 
 staggered replication schedules. (i.e. NYC lag replicates 
 tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
  
 We're concerned that admins can still force replication 
 outside of these hours using repadmin or replmon etc. 
  
 Is there a (supported) way to ensure that replication can 
 ONLY occur within the hours described above? 

Tell them not to?

Seriously, if something is being put in place for a reason and it is
explained to them, why would they want to go and work against it? Isn't
the person implementing it someone in a position of authority to say
this is how we'll solve this problem?

As always... there are seldom good technological solutions to
behavioural problems.

Given this is all hypothetical, and yet to be a problem, but you get
what I am regurgitating here.

My $0.02 inc GST.

themolk.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread joe 
Title: AD lag sites and replication



I am confused by your #2. Are you saying that admins can't 
force replication outside of the normal replication 
periods?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave 
WadeSent: Tuesday, May 30, 2006 6:59 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Neil,

1) If you start setting firewall rules then I am pretty 
sure you will break things as you will block urgent replication. What happens if 
some one changes their password and then goes to the home site? What about group 
membership changes?Do you really 
want to wait two days before you update these?.

2) I don't think that "normal admins" can trigger unscheduled 
replication changes. Certainly I am a Domain Admin and I can't trigger 
replication changes on our infrastructure, but it is 
Windows/2000

3) IMHO you would be better worrying about getting things to 
replicate when they are supposed to rather than things replicating when they 
shouldn't

Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: 30 May 2006 11:32To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and 
replication

Hi 
Neil,

I'd still go for 
a firewall with scheduled rules. IMHO there's no such thing as "locked down 
replication schedules" - as soon as someone is hitting a switch to force 
replication across sites. And the firewall will help you to assure no client is 
hitting a lag sites DC.
Gruesse - 
Sincerely, 
Ulf B. 
Simon-Weidner 
 Profile 
 Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD lag sites and replication
  
  Thanks Ulf.
  
  I 
  was hoping to avoid NIC disabling and such like. I was looking for a solution 
  which would enforce the replication schedule between sites, such that an admin 
  could not 'over ride' it.
  
  I'd 
  rather handle the situation with procedures and policies than use scripts to 
  disable NICs (or connection objects) at scheduled times :)
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: 30 May 2006 09:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites 
  and replication
  
  You are able to 
  disable the network interfaces, pretty easy with VMWare or Virtual Server 
  since you are able to do it from the host via scripting, bit more painfull if 
  you have to do it from the DC itself since you don't have any remote access 
  when the nic is disabled (you could use a scheduled task which runs netsh to 
  activate / deactivate the interface).
  
  Also putting a 
  firewall with scheduled rules in between would work very well, especially 
  since you can block everything but RDP at the no-sync 
  times.
  
  As long as you 
  don't exceed the tombstone-lifetime I don't see any reasons why this should 
  not be supported since we are just talking about lag-sites without any 
  memberservers / clients / users who log onto those DCs.
  Gruesse - 
  Sincerely, 
  Ulf B. 
  Simon-Weidner 
   Profile 
   Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 
    AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
AD lag sites and replication

I'm looking to implement one or more lag sites, 
with staggered replication schedules. (i.e. NYC lag replicates tues and 
thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 

Is there a (supported) way to ensure that 
replication can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
messa

RE: [ActiveDir] AD lag sites and replication

2006-05-30 Thread joe 
Title: AD lag sites and replication



As Al indicated,there isn't anything that is going to 
stop an Admin who is determined to force the replication. However if you are 
looking to stop accidents you could look at anything that blocks the RPC traffic 
(IPSEC/Firewall) or disrupts name res for the lag site.

 
joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 3:49 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD 
lag sites and replication

I'm looking to implement one or more lag sites, with 
staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 
am; LON lag replicates mon, wed and fri 2-4 am).
We're concerned that admins can still force 
replication outside of these hours using repadmin or replmon etc. 
Is there a (supported) way to ensure that replication 
can ONLY occur within the hours described above? 
Thanks, neil 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of this 
email please notify the sender immediately and delete your 
copy from your 
system. You must not copy, distribute or take any further 
action in reliance 
on it. Email is not a secure method of communication and 
Nomura International 
plc ('NIplc') will not, to the extent permitted by law, 
accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence 
of any virus, worm or similar malicious or disabling 
code in, this 
message or any attachment(s) to it. If verification of this 
email is sought then 
please request a hard copy. Unless otherwise stated 
this email: (1) is 
not, and should not be treated or relied upon as, 
investment research; 
(2) contains views or opinions that are solely those of 
the author and do 
not necessarily represent those of NIplc; (3) is intended 
for informational 
purposes only and is not a recommendation, solicitation or 
offer to buy or sell 
securities or related financial instruments. NIplc 
does not provide 
investment services to private customers. Authorised and 
regulated by the 
Financial Services Authority. Registered in England 
no. 1550505 VAT No. 
447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A 
member of the Nomura group of companies.

RE: [ActiveDir] AD Lag Sites

2006-03-27 Thread Shawn Hayes 
Hi all,
Sorry, I am way late weighing in on this one. I implemented some lag
sites for our AD and wanted to chime in.

We have a small AD - five DCs 4 at our hub and one at a remote office.
We have 52 sites but WAN pipes are fast enough so we don't need to
distribute DC's.

The boss wanted some Security Principal DR.object level recovery.  

I leveraged our Virtual Server boxes located in our hub site to stand up
three additional DCs in three separate sites (lagone, lagtwo and
lagthree) all three are GCs.  So as you can see the additional cost was
only for OS licenses.  This cost the City less than putting dual
monitors on our desktops.  I don't consider my time as an additional
cost because I would be working anyway.  Lagone replicates on Monday,
Lagtwo on Wednesday, and Lagthree on Fridayall three at midnight.
Site links are configured as such.

I found a script on the net to toggle on / off the NIC, so I use a
scheduled task to toggle it on at Midnight, force replication and toggle
it off.  Turning off inbound replication on the Lagsite servers doesn't
stop forced replication from replicating changes to the boxes, hence the
reason I toggle the NIC. 

Ultrasound and MOM bitch a little because they can't communicate with
the LAG site servers at all times, but sometimes MOM doesn't know best.

Now for recoveryat this shop, as with most other shops I have worked
at, our operators don't have the skill sets to perform
recoveries..of any type.and don't have the aptitude or desire to
learn.  Unfortunately this is a government job and we can't just can
them.  Because the boxes are on Virtual Server I can connect to them
remotelyeven with the NIC turned off.  Recovery takes around 10
minutes and doesn't require taking down a production DC.  With the
enhancements in NTDSutil with 2003 SP1 we no longer have to worry about
running the authoritative restore twiceonce to recover the user
object and the second time to restore the groups the user was a member
of.  One authoritative restore and bang were done.

We don't have a Global ADbut how many shops do?  My thought is if
you have a global AD you probably have the funding to purchase a third
party product.  IMO the majority of AD implmentations are small to
medium size businesses and probably don't have the funding for say a
Quest Recovery Manager.

I may have left something out.  It has been months since this was
implemented.  If anyone has any question feel free to contact me.

If you can poke holes at my lagsite(s) implementation please do.  I
learn new stuff everyday

Shawn Hayes 
GCWN, MCSE NT/2000/2003 - Messaging 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Thursday, March 09, 2006 7:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


Cheers Tomasz.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: 08 Mar 2006 21:39
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Lag Sites


Wyatt, David wrote:
 What MS paper?
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4
209-8ED2-E261A117FC6Bdisplaylang=en

At the end of this document You will find information how to do this. As

Jorge pointed today on our chat on IM this document is not addressing
potential SYSVOL issue after such restore so BurFlags should come into
play: http://support.microsoft.com/kb/290762

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ -
(EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.



List info   : http://www.activedir.org/List.aspx
List FAQ: http

RE: [ActiveDir] AD Lag Sites

2006-03-09 Thread Wyatt, David 

Cheers Tomasz.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: 08 Mar 2006 21:39
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Lag Sites


Wyatt, David wrote:
 What MS paper?
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4
209-8ED2-E261A117FC6Bdisplaylang=en

At the end of this document You will find information how to do this. As

Jorge pointed today on our chat on IM this document is not addressing 
potential SYSVOL issue after such restore so BurFlags should come into
play: http://support.microsoft.com/kb/290762

-- 
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ -
(EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread PAUL MAYES 
/lurkerHi All,Forgive me a second whilst I ramble on 'cos thisIS going to be a ramble, then shoot me down in flames at the end!The problem with DR is getting the data from somewhere. Typically we go back to tape, which depending on when the last successful backup took place gives you a bit of a wide window to play with. Not good if you're going back some 24 hours/days etc...To get better coverage of times we kicked about with lag sites. Trouble is, and this has already been noted, replication and timings can scupper the intentions of lag sites and where do you stop. Is one enough, is one for every hour of the day enough?Microsoft released this white paper on fast recovery with AD using SAN's and disk imaging. http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspxNow, I'm currently playing with using Microsoft's in-built disk snapshotting to provide something similar. So on a pure DC server I've set it up to snapsnot it's disks everyhour. And then I get to chose which hour that I go back to and use as my recovered backup. After all it's the same tech that's used when you actually do a backup.No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting.Now I'm going to stand back and be
 shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. Oh and I realise that this is way far from perfect.Curious to know if anyone has done this or thought about it if nothing else.  Paul.Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800  I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites.  They always like to throw the   money issue around... but I wonder what the TCO is really.  Maybe these
 major   AD DR players should commission a study heck maybe MSFT should for both AD   and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT   backup of a domain controllers system state each night, then stand-up more   sites and servers.  Then based on need select the restore method and evaluate   the results. I agree knowing how all the inner workings does help as well, but operations   people are usually not engineers, so it is best to give them tools that have   some workflow, and makes the operation smooth and less error prone. Thanks again,  Todd

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread neil.ruston 



As I stated earlier, we need to differentiate between 
object restores (via lag sites) and true DR (which the MS paper deals with). 
Restoring a user differs to the restoration of a DC, which differs again to the 
restoration of a domain and/or forest.

Objects can be restored using 3rd party tools (which back 
up the database and all attributes regularly) and/or via lag 
sites.
True DR needs (IMO) a separate physical location, separate 
physical machines along with DR processes and technologies.

Requirements need to be gathered so that the optimal 
solution can be found.

What are you trying to achieve?

neilPS I tried to curb my habit of waffling 
:)



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of PAUL 
MAYESSent: 08 March 2006 13:13To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
Sites

/lurker

Hi All,

Forgive me a second whilst I ramble on 'cos thisIS going to be a 
ramble, then shoot me down in flames at the end!

The problem with DR is getting the data from somewhere. Typically we go 
back to tape, which depending on when the last successful backup took place 
gives you a bit of a wide window to play with. Not good if you're going back 
some 24 hours/days etc...

To get better coverage of times we kicked about with lag sites. Trouble is, 
and this has already been noted, replication and timings can scupper the 
intentions of lag sites and where do you stop. Is one enough, is one for every 
hour of the day enough?

Microsoft released this white paper on fast recovery with AD using SAN's 
and disk imaging. 

http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx

Now, I'm currently playing with using Microsoft's in-built disk 
snapshotting to provide something similar. So on a pure DC server I've set it up 
to snapsnot it's disks everyhour. And then I get to chose which hour that 
I go back to and use as my recovered backup. After all it's the same tech that's 
used when you actually do a backup.

No need for a lag site, just pick the hour on the timeline and restore from 
that DC. Ok so it means that you might need bigger disk and you can only 
snapshot down to 30mins. But if you're a bit creative with a few DC's then you 
can get much better coverage than lag sites without the need for more DC's or 
creative subnetting.

Now I'm going to stand back and be shot down in flames. But thus far 
playing with VSS is kind of casting doubt on plans for one or multiple lag 
sites. I'm not going to bore with the how's and where's but it might stimulate 
some discussion. 

Oh and I realise that this is way far from perfect.

Curious to know if anyone has done this or thought about it if nothing 
else.


Paul.

Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800
I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites.  They always like to throw the   money issue around... but I wonder what the TCO is really.  Maybe these
 major   AD DR players should commission a study heck maybe MSFT should for both AD   and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT   backup of a domain controllers system state each night, then stand-up more   sites and servers.  Then based on need select the restore method and evaluate   the results. I agree knowing how all the inner workings does help as well, but operations   people are usually not engineers, so it is best to give them tools that have   some workflow, and makes the operation smooth and less error prone. Thanks again,  Todd  PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A

Re: [ActiveDir] AD Lag Sites

2006-03-08 Thread Tomasz Onyszko 

PAUL MAYES wrote:

(...)

 
No need for a lag site, just pick the hour on the timeline and restore 
from that DC. Ok so it means that you might need bigger disk and you can 
only snapshot down to 30mins. But if you're a bit creative with a few 
DC's then you can get much better coverage than lag sites without the 
need for more DC's or creative subnetting.
 
Now I'm going to stand back and be shot down in flames. But thus far 
playing with VSS is kind of casting doubt on plans for one or multiple 
lag sites. I'm not going to bore with the how's and where's but it might 
stimulate some discussion.


(...)

You can't use images or snapshots as a backup\recovery solutions for DC 
because You are risking getting into USN roll-back problem. Search 
through ActivDir.org archives for USN roll-back and You will find good 
explanation of this problem.



--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread Wyatt, David 
Title: Message



Hi 
Paul, do you use the disk snapshots to provide the ability to restore an object 
or the whole DC (and therefore the whole Active Directory database), or 
both?


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of PAUL MAYESSent: 08 Mar 2006 13:13To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
  Sites
  /lurker
  
  Hi All,
  
  Forgive me a second whilst I ramble on 'cos thisIS going to be a 
  ramble, then shoot me down in flames at the end!
  
  The problem with DR is getting the data from somewhere. Typically we go 
  back to tape, which depending on when the last successful backup took place 
  gives you a bit of a wide window to play with. Not good if you're going back 
  some 24 hours/days etc...
  
  To get better coverage of times we kicked about with lag sites. Trouble 
  is, and this has already been noted, replication and timings can scupper the 
  intentions of lag sites and where do you stop. Is one enough, is one for every 
  hour of the day enough?
  
  Microsoft released this white paper on fast recovery with AD using SAN's 
  and disk imaging. 
  
  http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx
  
  Now, I'm currently playing with using Microsoft's in-built disk 
  snapshotting to provide something similar. So on a pure DC server I've set it 
  up to snapsnot it's disks everyhour. And then I get to chose which hour 
  that I go back to and use as my recovered backup. After all it's the same tech 
  that's used when you actually do a backup.
  
  No need for a lag site, just pick the hour on the timeline and restore 
  from that DC. Ok so it means that you might need bigger disk and you can only 
  snapshot down to 30mins. But if you're a bit creative with a few DC's then you 
  can get much better coverage than lag sites without the need for more DC's or 
  creative subnetting.
  
  Now I'm going to stand back and be shot down in flames. But thus far   playing with VSS is kind of casting doubt on plans for one or multiple lag 
  sites. I'm not going to bore with the how's and where's but it might stimulate 
  some discussion. 
  
  Oh and I realise that this is way far from perfect.
  
  Curious to know if anyone has done this or thought about it if nothing 
  else.
  
  
  Paul.
  
  Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800
  I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites.  They always like to throw the   money issue around... but I wonder what the TCO is really.  Maybe these
 major   AD DR players should commission a study heck maybe MSFT should for both AD   and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT   backup of a domain controllers system state each night, then stand-up more   sites and servers.  Then based on need select the restore method and evaluate   the results. I agree knowing how all the inner workings does help as well, but operations   people are usually not engineers, so it is best to give them tools that have   some workflow, and makes the operation smooth and less error prone. Thanks again,  Todd  


This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread neil.ruston 
The MS paper illustrates a way to achieve this without the USN issue. 

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: 08 March 2006 13:30
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Lag Sites

PAUL MAYES wrote:

(...)

  
 No need for a lag site, just pick the hour on the timeline and restore

 from that DC. Ok so it means that you might need bigger disk and you 
 can only snapshot down to 30mins. But if you're a bit creative with a 
 few DC's then you can get much better coverage than lag sites without 
 the need for more DC's or creative subnetting.
  
 Now I'm going to stand back and be shot down in flames. But thus far 
 playing with VSS is kind of casting doubt on plans for one or multiple

 lag sites. I'm not going to bore with the how's and where's but it 
 might stimulate some discussion.

(...)

You can't use images or snapshots as a backup\recovery solutions for DC
because You are risking getting into USN roll-back problem. Search
through ActivDir.org archives for USN roll-back and You will find good
explanation of this problem.


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Lag Sites

2006-03-08 Thread Tomasz Onyszko 

Tomasz Onyszko wrote:

Sorry - I've messed up two different things :(
please forget about this post.

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Lag Sites

2006-03-08 Thread Tomasz Onyszko 

[EMAIL PROTECTED] wrote:
The MS paper illustrates a way to achieve this without the USN issue. 



Yes, I'm aware of this. Sorry - I'm a bit overloaded and I've read this 
post only with one eye before replying.

It wasn't my brightest post :( - and there is no re-call option :)


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread PAUL MAYES 
Whoa, yep perhaps I didn't ramble enough!Simply, whoops I've lost something out of the directory. I need to get that stuff back. Where can i get the stuff back from:- tape  - another
 DC  - perhaps deleted object restoration by some other 3rd party or another custom written process, maybe, depends what's been lost (if known) or how much money the boss let me spend on buying products.Now depending on the stuff that's been lost you vary the approach, or at least it seems common sense to me not to go around doing funky things if someone's deleted one user, unless it's the bloke who runs the company!Then depending on what's happened you've got the next stress of where can I
 get the stuff back on to?Now when I chucked in that comment I wasn't advocating that as the universal solution for all DR problems. Blimey my job would be easy if that was the case. But if you're trying to answer the problem of 'where do I get the stuff back from?' then it's probably worth considering even if it's chucked straight out. And yes it does have it's bad points, but on the face it's the same bad points as going back to a tape. (Unless there is a difference that I'm missing?).Every solution has it's bad points, just thought it might be worth kicking around with for some scenarios. When I was looking at the timeline in the fast recovery paper it gave me an idea, so I drew out a timeline based on our organisation and then I could point at the line and stress in some situations. Now using disk snapshots meant that all of a sudden you could get some more points on that timeline, maybe some richer restore capability. As the white paper suggests, it gets you away from some limitations of tape. So all that I've done is draw up a timeline, think of the scenarios and plan what to do.   And whilst I was at it give disk snapshotting some air time.  As I stated earlier, we need to differentiate between object restores (via lag sites) and true DR (which the MS paper deals with). Restoring a user differs to the restoration of a DC, which differs again to the restoration of a domain and/or forest.Objects can be restored using 3rd party tools (which back up the database and all attributes regularly) and/or via lag sites.  True DR needs (IMO) a separate physical location, separate physical machines along with DR processes and technologies.Requirements need to be gathered so that the optimal solution can be found.What are you trying to achieve?neilPS I tried to curb my habit of waffling :)

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread Wyatt, David 
Title: Message




Hi 
Paul, do you use the disk snapshots to provide the ability to restore an object 
or the whole DC (and therefore the whole Active Directory database), or both?



-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of PAUL MAYESSent: 08 Mar 2006 13:13To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
Sites

  /lurker
  
  Hi All,
  
  Forgive me a second whilst I ramble on 'cos thisIS going to be a 
  ramble, then shoot me down in flames at the end!
  
  The problem with DR is getting the data from somewhere. Typically we go 
  back to tape, which depending on when the last successful backup took place 
  gives you a bit of a wide window to play with. Not good if you're going back 
  some 24 hours/days etc...
  
  To get better coverage of times we kicked about with lag sites. Trouble 
  is, and this has already been noted, replication and timings can scupper the 
  intentions of lag sites and where do you stop. Is one enough, is one for every 
  hour of the day enough?
  
  Microsoft released this white paper on fast recovery with AD using SAN's 
  and disk imaging. 
  
  http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx
  
  Now, I'm currently playing with using Microsoft's in-built disk 
  snapshotting to provide something similar. So on a pure DC server I've set it 
  up to snapsnot it's disks everyhour. And then I get to chose which hour 
  that I go back to and use as my recovered backup. After all it's the same tech 
  that's used when you actually do a backup.
  
  No need for a lag site, just pick the hour on the timeline and restore 
  from that DC. Ok so it means that you might need bigger disk and you can only 
  snapshot down to 30mins. But if you're a bit creative with a few DC's then you 
  can get much better coverage than lag sites without the need for more DC's or 
  creative subnetting.
  
  Now I'm going to stand back and be shot down in flames. But thus far   playing with VSS is kind of casting doubt on plans for one or multiple lag 
  sites. I'm not going to bore with the how's and where's but it might stimulate 
  some discussion. 
  
  Oh and I realise that this is way far from perfect.
  
  Curious to know if anyone has done this or thought about it if nothing 
  else.
  
  
  Paul.
  
  Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800
  I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites.  They always like to throw the   money issue around... but I wonder what the TCO is really.  Maybe these
 major   AD DR players should commission a study heck maybe MSFT should for both AD   and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT   backup of a domain controllers system state each night, then stand-up more   sites and servers.  Then based on need select the restore method and evaluate   the results. I agree knowing how all the inner workings does help as well, but operations   people are usually not engineers, so it is best to give them tools that have   some workflow, and makes the operation smooth and less error prone. Thanks again,  Todd  


This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.

RE: [ActiveDir] AD Lag Sites

2006-03-08 Thread Wyatt, David 

What MS paper?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 08 Mar 2006 13:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


The MS paper illustrates a way to achieve this without the USN issue. 

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: 08 March 2006 13:30
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Lag Sites

PAUL MAYES wrote:

(...)

  
 No need for a lag site, just pick the hour on the timeline and restore

 from that DC. Ok so it means that you might need bigger disk and you
 can only snapshot down to 30mins. But if you're a bit creative with a 
 few DC's then you can get much better coverage than lag sites without 
 the need for more DC's or creative subnetting.
  
 Now I'm going to stand back and be shot down in flames. But thus far
 playing with VSS is kind of casting doubt on plans for one or multiple

 lag sites. I'm not going to bore with the how's and where's but it
 might stimulate some discussion.

(...)

You can't use images or snapshots as a backup\recovery solutions for DC
because You are risking getting into USN roll-back problem. Search
through ActivDir.org archives for USN roll-back and You will find good
explanation of this problem.


--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ -
(EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/






This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Lag Sites

2006-03-08 Thread Tomasz Onyszko 

Wyatt, David wrote:

What MS paper?


http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en

At the end of this document You will find information how to do this. As 
Jorge pointed today on our chat on IM this document is not addressing 
potential SYSVOL issue after such restore so BurFlags should come into play:

http://support.microsoft.com/kb/290762

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Lag Sites

2006-03-06 Thread Myrick, Todd \(NIH/CC/DNA\) [E] 








I dont really look at problems from
the Trying to Save Money Approach. I try to spend my
money and use my time wisely. 



I base all my value judgments on the
following factors. 



1. Does it value people?

2. Is it priced acceptably? (I value
dominate designs, but also feel that some innovative features are worth more if
they offer added value)

3. Is the solution timely?

4. Does the solution offer reproducible results?



AD lag site restores seem a little
advanced for general operators to be able to perform. To me restore
operations are an operator job not an engineers so I want a solution
that offers value to operators.



The standard Free AD solution
to restore objects has a lot of CLI, it doesnt restore all the
attributes, it takes more time to implement, it requires a DC be rebooted, it
lacks the ability to restore single attributes, and groups. The lag site
approach seems okay initially, but it requires more dedicated hardware that has
to be maintained, it complicates the AD design in a unnatural way,
it requires knowledge of the AD site architecture to properly implement (You
have to force replication to the rest of the forest) and takes longer to implement
a restore operation (The use might be out in china, where your lag site
might be in the UK).



For me I wanted the ability to quickly
restore objects using a turnkey solution that I can delegate to trusted
operators to perform. A dedicated person to do this task would cost about
30 to 40K per year. My base thinking is that would work between 10K to 20K up
front, and about 3 to 5% overhead each additional year. I gain the
ability to restore all objects and attributes, as well as groups and their
memberships. I can restore these objects at the site the user resides, I
dont have to reboot a DC to do this operation, and I free up the
engineer to be an engineer not an operator. 



So my priorities are different than yours..
and so are my responsibilities. I dont have to save the company
money.



Notice I didnt say lag sites dont
work, but the number of steps involved to do an authoritative restore compared
to using a third-party product designed for the job and the possible end
results are akin to shooting a bullet and throwing one.



Yeah you probably hit the target both ways.
But I think my way is more accurate, has better range, and gets the job done a
lot faster and has the potential to be more effective with less skill.



Todd Myrick











From: Frank Abagnale
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 04, 2006
5:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites







Todd,











You mentioned 'potentially has the ability to create more problems'











Could you outline the problemsthat are on your mind? 











I see Lag Sites as a solution to save the business money
frompurchasing a solution, but I still need to think about business risk
if such a solution was to be implemented. 











Frank

Myrick, Todd (NIH/CC/DNA) [E] [EMAIL PROTECTED] wrote:







Agreed.











Not a big fan of the
Lag-Site, I think it potentially has the ability to create more
problems. At least MS added some limited functionality in 2003, now if
they would just finish the job in Vista this topic might goto rest. (Are
you there Stewart?) 











I do see value in Creative Subnetting,
when it comes to establishing multiple sites on a physical network segment to
get the KCC to replicate in a more deterministic manner. Fun to do in the
classroom too when teaching subnetting.











Todd Myrick



















From: Almeida Pinto,
Jorge de [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 03, 2006 11:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites













7 lag sites? holy sh*t!





would it be much cheaper to use a
solution that can undelete the deleted objects and restore (push back) the
attributes?





jorge











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites





As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same virtual
subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x.
Remember that all have the default gateway and subnet mask for 10.1.x.x. But
now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site.. AD-Replication will do

RE: [ActiveDir] AD Lag Sites

2006-03-06 Thread deji 
He does NOT have to save the company money, he says.
 
That's MY money you are talking about there, bucko! :)
 
Seriously, Todd, you do have to understand that a vast majority of IT shops
don't have budget for their IT folks to be as productive as they desire to
be. This is why people tend to be as creative and conservative as possible.
They want to stay as native as humanly possible and as painful as the
exercise tend to be, they typically can't do anything about it. When
management expects you to squeeze water out of rocks, you hardly have much
options.
 
The Lag Site concept is not a replacement for specialized recovery
solutions. But, the concept came about as a result of people realizing that,
much as they like the Quests and Netpros of this world, the steep price
associated with them makes those products out of reach. If you've seen the
California Cows commercials, you will begin to understand how much people
salivate over professional tools. So, what's a poor admin to do? Especially
when his/her CIO has just played golf with a buddy who has just read
something from, say, Gartner, preaching the benefits of DR, and the CIO now
wants DR implemented like, oh, say, one week ago without any additional
funding?
 
Lag Sites are NOT as expensive as any of the other options. Where budget
constraint is a factor, the Lag Site concept is the next best thing for any
AD Admin. The fact that it requires some expertise to successfully implement
and utilize IS a big plus rather than a drawback. If you are going to
administer any sizeable enterprise where DR is essential, you better start
knowing something about the inner workings of the things you are claiming to
be administering. Come to think of it, the vendors who market these
specialized recovery tools are not engaged in voodoo. By learning how things
work, you may not need to pay their protection money any longer.
 
OK, now I've said too much ;)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Mon 3/6/2006 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites



I don't really look at problems from the Trying to Save Money Approach
I try to spend my money and use my time wisely. 

 

 I base all my value judgments on the following factors.  

 

1. Does it value people?

2. Is it priced acceptably?  (I value dominate designs, but also feel that
some innovative features are worth more if they offer added value)

3. Is the solution timely?

4. Does the solution offer reproducible results?

 

AD lag site restores seem a little advanced for general operators to be able
to perform.  To me restore operations are an operator job not an engineer's
so I want a solution that offers value to operators.

 

The standard Free AD solution to restore objects has a lot of CLI, it
doesn't restore all the attributes, it takes more time to implement, it
requires a DC be rebooted, it lacks the ability to restore single attributes,
and groups.  The lag site approach seems okay initially, but it requires more
dedicated hardware that has to be maintained, it complicates the AD design in
a unnatural way, it requires knowledge of the AD site architecture to
properly implement (You have to force replication to the rest of the forest)
and takes longer to implement a restore operation... (The use might be out in
china, where your lag site might be in the UK).

 

For me I wanted the ability to quickly restore objects using a turnkey
solution that I can delegate to trusted operators to perform.  A dedicated
person to do this task would cost about 30 to 40K per year. My base thinking
is that would work between 10K to 20K up front, and about 3 to 5% overhead
each additional year.  I gain the ability to restore all objects and
attributes, as well as groups and their memberships.  I can restore these
objects at the site the user resides, I don't have to reboot a DC to do this
operation, and I free up the engineer to be an engineer not an operator.  

 

So my priorities are different than yours. and so are my
responsibilities.  I don't have to save the company money.

 

Notice I didn't say lag sites don't work, but the number of steps involved to
do an authoritative restore compared to using a third-party product designed
for the job and the possible end results are akin to shooting a bullet and
throwing one.

 

Yeah you probably hit the target both ways But I think my way is more
accurate, has better range, and gets the job done a lot faster and has the
potential to be more effective with less skill.

 

Todd Myrick

 



From: Frank Abagnale [mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 04, 2006 5:47 AM
To: ActiveDir@mail.activedir.org

RE: [ActiveDir] AD Lag Sites

2006-03-06 Thread Myrick, Todd \(NIH/CC/DNA\) [E] 
I also said, I have to spend my time and money wisely.
 
I am well aware of why people use lag-sites.  They always like to throw the 
money issue around... but I wonder what the TCO is really.  Maybe these major 
AD DR players should commission a study heck maybe MSFT should for both AD 
and Exchange Mailboxes.
 
I think you would do better to encourage new Admins to make sure they do a MFT 
backup of a domain controllers system state each night, then stand-up more 
sites and servers.  Then based on need select the restore method and evaluate 
the results.
 
I agree knowing how all the inner workings does help as well, but operations 
people are usually not engineers, so it is best to give them tools that have 
some workflow, and makes the operation smooth and less error prone.
 
Thanks again,
Todd



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Mon 3/6/2006 2:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites



He does NOT have to save the company money, he says.

That's MY money you are talking about there, bucko! :)

Seriously, Todd, you do have to understand that a vast majority of IT shops
don't have budget for their IT folks to be as productive as they desire to
be. This is why people tend to be as creative and conservative as possible.
They want to stay as native as humanly possible and as painful as the
exercise tend to be, they typically can't do anything about it. When
management expects you to squeeze water out of rocks, you hardly have much
options.

The Lag Site concept is not a replacement for specialized recovery
solutions. But, the concept came about as a result of people realizing that,
much as they like the Quests and Netpros of this world, the steep price
associated with them makes those products out of reach. If you've seen the
California Cows commercials, you will begin to understand how much people
salivate over professional tools. So, what's a poor admin to do? Especially
when his/her CIO has just played golf with a buddy who has just read
something from, say, Gartner, preaching the benefits of DR, and the CIO now
wants DR implemented like, oh, say, one week ago without any additional
funding?

Lag Sites are NOT as expensive as any of the other options. Where budget
constraint is a factor, the Lag Site concept is the next best thing for any
AD Admin. The fact that it requires some expertise to successfully implement
and utilize IS a big plus rather than a drawback. If you are going to
administer any sizeable enterprise where DR is essential, you better start
knowing something about the inner workings of the things you are claiming to
be administering. Come to think of it, the vendors who market these
specialized recovery tools are not engaged in voodoo. By learning how things
work, you may not need to pay their protection money any longer.

OK, now I've said too much ;)


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Myrick, Todd
(NIH/CC/DNA) [E]
Sent: Mon 3/6/2006 10:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites



I don't really look at problems from the Trying to Save Money Approach
I try to spend my money and use my time wisely.



 I base all my value judgments on the following factors. 



1. Does it value people?

2. Is it priced acceptably?  (I value dominate designs, but also feel that
some innovative features are worth more if they offer added value)

3. Is the solution timely?

4. Does the solution offer reproducible results?



AD lag site restores seem a little advanced for general operators to be able
to perform.  To me restore operations are an operator job not an engineer's
so I want a solution that offers value to operators.



The standard Free AD solution to restore objects has a lot of CLI, it
doesn't restore all the attributes, it takes more time to implement, it
requires a DC be rebooted, it lacks the ability to restore single attributes,
and groups.  The lag site approach seems okay initially, but it requires more
dedicated hardware that has to be maintained, it complicates the AD design in
a unnatural way, it requires knowledge of the AD site architecture to
properly implement (You have to force replication to the rest of the forest)
and takes longer to implement a restore operation... (The use might be out in
china, where your lag site might be in the UK).



For me I wanted the ability to quickly restore objects using a turnkey
solution that I can delegate to trusted operators to perform.  A dedicated
person to do this task would cost about 30 to 40K per year. My base thinking
is that would work between 10K to 20K up front, and about 3 to 5% overhead
each additional year.  I gain the ability to restore all

RE: [ActiveDir] AD Lag Sites

2006-03-04 Thread Frank Abagnale 
I amtrying to design a full DR solution,but as Ihave never done one, I am sort of trying to compile a list of things which occur or I need to deal with on a daily basis and documenting a procedure for them.So far I have looked atprocesses for schema modification, I am now working on recovery of deleted objects via a lag site, I have budget to buy a quest or netpro solution but I would rather spend the budget on areas which can assist business growth.I don't feel out of place with ntdsutil, hence my research into lag sites.frank[EMAIL PROTECTED] wrote:  Ideally, you would place
 the DR DCs in a separate DR location (for obvious reasons)which would have its own set of subnets assigned. This approach caters for true DR as well as object recovery from a lag site.If not possible, then Jorge's approach will work (although true DR is not catered for IMO).Are you trying to design for full DR or just recovery of objects via a lag site (or both)?neil  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: 03 March 2006 15:29To: ActiveSubject: [ActiveDir] AD Lag SitesSingle Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to followthanks frank  Relax. Yahoo! Mail virus scanning helps detect nasty viruses!  PLEASE READ: The information contained in this email is confidential and   intended for the named recipient(s) only. If you are not an intended   recipient of this email
 please notify the sender immediately and delete your   copy from your system. You must not copy, distribute or take any further   action in reliance on it. Email is not a secure method of communication and   Nomura International plc ('NIplc') will not, to the extent permitted by law,   accept responsibility or liability for (a) the accuracy or completeness of,   or (b) the presence of any virus, worm or similar malicious or disabling   code in, this message or any attachment(s) to it. If verification of this
   email is sought then please request a hard copy. Unless otherwise stated   this email: (1) is not, and should not be treated or relied upon as,   investment research; (2) contains views or opinions that are solely those of   the author and do not necessarily represent those of NIplc; (3) is intended   for informational purposes only and is not a recommendation, solicitation or   offer to buy or sell securities or related financial instruments. NIplc   does not provide investment services to private customers. Authorised and   regulated by the Financial Services Authority. Registered in England   no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,   London, EC1A 4NP. A member of the Nomura group of companies. 
		Yahoo! Mail
Bring photos to life! New PhotoMail  makes sharing a breeze.

RE: [ActiveDir] AD Lag Sites

2006-03-04 Thread Frank Abagnale 
Todd,You mentioned 'potentially has the ability to create more problems'Could you outline the problemsthat are on your mind? I see Lag Sites as a solution to save the business money frompurchasing a solution, but I still need to think about business risk if such a solution was to be implemented. Frank"Myrick, Todd (NIH/CC/DNA) [E]" [EMAIL PROTECTED] wrote:Agreed.Not a big fan of the “Lag-Site”, I think it potentially has the ability to
 create more problems. At least MS added some limited functionality in 2003, now if they would just finish the job in Vista this topic might goto rest. (Are you there Stewart?) I do see value in Creative Subnetting, when it comes to establishing multiple sites on a physical network segment to get the KCC to replicate in a more deterministic manner. Fun to do in the classroom too when teaching subnetting.Todd MyrickFrom: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites7 lag sites? holy sh*t!  would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes?  jorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, March 03, 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites  As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured
 in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site.. AD-Replication will do what you wanted it to do, even without the need for routing.However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure
 your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion.What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of
 the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-)  Gruesse - Sincerely,   Ulf B. Simon-WeidnerMVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag SitesSingle Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to followthanks frankRelax. Yahoo! Mail virus scanning helps detect nasty viruses!
		Brings words and photos together (easily) with 
PhotoMail  - it's free and works with Yahoo! Mail.

RE: [ActiveDir] AD Lag Sites

2006-03-04 Thread Frank Abagnale 
Guido, this is really useful information.I have a single domain forest so I feel comfortable with the Lag Site idea.With multi domain forest, I would assume the addtional cost in maintainingthis environmentwouldjustify the cost of purchasing a recovery solution.Your point about Forced Replication is an interesting thought, I didn't realise the lag site would not be protected. I would need to put this as a potential risk.If this is the case, my question to others who have implemented Lag Sites ishow do you handle protecting the lag site from forced replication from other admins?"Grillenmeier, Guido" [EMAIL PROTECTED] wrote:  an important factor is missing in this discussion - theoportunity and costs forleveraging lagsites highly depends on your forest structure. Even though you can use virtualization to reduce the number of physical boxes required to host a DC in a lagsite, you still need to host at least one per domain. As was pointed out before, if your goal was to recover from accidental deletions it certainly makes even more sense if you use two per domain with overlapping schedules in different sites, so that you'd theoretically always have a window of opportunity to recover the data from a lagsite even if the changes (such as deletion of objects) has just been replicated into one of the lagsites.the number of domains in your forest will not only increase the number of (physical or virtual) DCs you need to host in your lagsite(s), but as soon as you have more than one domain, the work to be done to recover the objects and it's complexity increases dramatically due to the cross-domain dependencies. You typically have to perform restore activities on a DC from every domain (think "recovery of a user's group-membership" [1]). So what's often fairly feasable for performing restores a single domain forest, can become quite a pain point for multi-domain forests. In the end the full recovery of an object involves so much work, that you'd rather not do it if "just a simple user" is accidentally deleted.VIP users may be an exception and so will the deletion of a whole OU. This is where I'd say online recovery tools (such as those offered by NetPro and
 Quest) make a big difference - these will take care of restoring the objects in a domain incl. the necessary cross-domain data and you wouldn't hesitate to use them even for the least important user or group or many other objects.realize that no matter how many domains you have, a lagsite can only protect you "so much" from accidental deletion. It doesn't offer full protection from replicating unwanted changes into the lagsite - forced replication doesn't care about a lagsite's schedule or about a disabled connection object = you can still force bad changes into a lagsite anytime, if the DCs are running and available on the NW. So you'd only gain real protection by isolating the lagsite DCs from the NW (either done physically or via some timed
 script that enables/disables the NIC). this is not to say that I think lagsites (and specifically running DCs in VMs in lagsites) shouldn't be used at all - you should just realize that they may not be able to help for all DR occasions. They are sill a helpful tool to ensure a fast recovery from other failures, such as site-failuresor potentially domain or forest failures (for single domain forests even for object recovery). For multi-domain forests, they could well be a part of your overall DR plan - but I also highly recommend checking out the online recovery tools for those object (or attribute) recovery situations, that potentially happen more often./Guido  [1] if you're unaware of the issues with restoring group memberships in multi-domain environments have a look at the following whitepaper:http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Freitag, 3. März 2006 20:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag SitesI think you're trying to compare
 apples and oranges. Yes, both solutions can help reduce the time it takes to perform a restore (give a specific scenario), but that's basically it. Lag sites are single snapshots based on the number of lag sites you deploy. The products you mention below are true backup solutions that you could, if you wanted to, perform hourly, daily, weekly, etcbackups, all of which can be restored as needed. They also typically allow attribute level restores.So if lag sites are N dollars and the software is Y dollars it doesn't really say much. You need to evaluate your own restore requirements and budget to determine what's best. It's my opinion most customers don't need lag sites and that it's a distraction from the
 normal backup processes they're probably failing to properly implement. But that's just me.From: [EMAIL PROTECTED] [mailto:[EMAIL PROT

RE: [ActiveDir] AD Lag Sites

2006-03-04 Thread Grillenmeier, Guido 



Frank - I'd also be interested to hear how others protect 
themselves from forced replication in a lagsite - I'm sure most aren't aware 
it's a potential riskin the first place. As mentioned below, an option 
would be to automatically enable and disable the NIC of the respective lagsite 
DC inline with its scheduled replication window. If running as VMs you could 
also configure them to boot and shutdown automatically according to the schedule 
(I'm not a friend of "suspending" production DCs). I'd probably still preferr 
just disabling the NICs.

/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Samstag, 4. März 2006 12:00To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
Sites

Guido, this is really useful information.

I have a single domain forest so I feel comfortable with the Lag Site 
idea.With multi domain forest, I would assume the addtional cost in 
maintainingthis environmentwouldjustify the cost of purchasing 
a recovery solution.

Your point about Forced Replication is an interesting thought, I didn't 
realise the lag site would not be protected. I would need to put this as a 
potential risk.

If this is the case, my question to others who have implemented Lag Sites 
ishow do you handle protecting the lag site from forced replication from 
other admins?"Grillenmeier, Guido" 
[EMAIL PROTECTED] wrote:

  
  an important factor is missing in this discussion - 
  theoportunity and costs forleveraging lagsites highly depends on 
  your forest structure. Even though you can use virtualization to reduce 
  the number of physical boxes required to host a DC in a lagsite, you still 
  need to host at least one per domain. As was pointed out before, if your goal 
  was to recover from accidental deletions it certainly makes even more sense if 
  you use two per domain with overlapping schedules in different sites, so that 
  you'd theoretically always have a window of opportunity to recover the data 
  from a lagsite even if the changes (such as deletion of objects) has just been 
  replicated into one of the lagsites.
  
  the number of domains in your forest will not only 
  increase the number of (physical or virtual) DCs you need to host in your 
  lagsite(s), but as soon as you have more than one domain, the work to be done 
  to recover the objects and it's complexity increases dramatically due to the 
  cross-domain dependencies. You typically have to perform restore activities on 
  a DC from every domain (think "recovery of a user's group-membership" [1]). So 
  what's often fairly feasable for performing restores a single domain forest, 
  can become quite a pain point for multi-domain forests. In the end the full 
  recovery of an object involves so much work, that you'd rather not do it if 
  "just a simple user" is accidentally deleted.VIP users may be an 
  exception and so will the deletion of a whole OU. This is where 
  I'd say online recovery tools (such as those offered by NetPro and Quest) make 
  a big difference - these will take care of restoring the objects in a domain 
  incl. the necessary cross-domain data and you wouldn't hesitate to use them 
  even for the least important user or group or many other 
  objects.
  
  realize that no matter how many domains you have, a 
  lagsite can only protect you "so much" from accidental deletion. It doesn't 
  offer full protection from replicating unwanted changes into the lagsite - 
  forced replication doesn't care about a lagsite's schedule or about a disabled 
  connection object = you can still force bad changes into a lagsite 
  anytime, if the DCs are running and available on the NW. So you'd only gain 
  real protection by isolating the lagsite DCs from the NW (either done 
  physically or via so me timed script that enables/disables the NIC). 
  
  
  this is not to say that I think lagsites (and 
  specifically running DCs in VMs in lagsites) shouldn't be used at all - you 
  should just realize that they may not be able to help for all DR occasions. 
  They are sill a helpful tool to ensure a fast recovery from other failures, 
  such as site-failuresor potentially domain or forest failures (for 
  single domain forests even for object recovery). For multi-domain forests, 
  they could well be a part of your overall DR plan - but I also highly 
  recommend checking out the online recovery tools for those object (or 
  attribute) recovery situations, that potentially happen more 
  often.
  
  /Guido
  
  
  [1] if you're unaware of the issues with restoring 
  group memberships in multi-domain environments have a look at the following 
  whitepaper:
  
  http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf 
  
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of David 
  AdnerSent: Freitag, 3. März 2006 20:47To: 
  ActiveDir@mail.activedir.orgSubject: R

Re: [ActiveDir] AD Lag Sites

2006-03-04 Thread Irwan Hadi 
On 3/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
 When talking about a software solution to restore deleted objects I know 
 about:
 Netpro's RestoreADmin
 Quest's Recovery Manage for AD

 I don't know the price of both products (I guess per managed object or 
 something like that) but I would be interested in knowing where the break 
 even point is compared to a hardware solution.


I asked my Quest account manager for Quest Recovery Manager the other
day, and she said the price is $10.00 per node. The price is flat
regardless how many nodes you have. The thing vary is of course the
discount.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Lag Sites

2006-03-04 Thread Irwan Hadi 
I meant the number of users in the AD.
Sorry for the confusion.

On 3/4/06, Irwan Hadi [EMAIL PROTECTED] wrote:
 On 3/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
  When talking about a software solution to restore deleted objects I know 
  about:
  Netpro's RestoreADmin
  Quest's Recovery Manage for AD
 
  I don't know the price of both products (I guess per managed object or 
  something like that) but I would be interested in knowing where the break 
  even point is compared to a hardware solution.


 I asked my Quest account manager for Quest Recovery Manager the other
 day, and she said the price is $10.00 per node. The price is flat
 regardless how many nodes you have. The thing vary is of course the
 discount.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD Lag Sites

2006-03-03 Thread Frank Abagnale 
Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to followthanks frank
		Relax. Yahoo! Mail 
virus scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Almeida Pinto, Jorge de 



well yes

OR

create subnet definitions of the IP addresses of the 
DCs...

Lets say you have 2 DCs in the lag site and 4 in the 
"normal" site:
DC01: 10.1.1.1/24
DC02: 10.1.1.2/24
DC03: 10.1.1.3/24
DC04: 
10.1.1.4/24
DC05: 
10.1.1.5/24
DC06: 
10.1.1.6/24

For the DCs in the normal site you create the subnet: 
10.1.1.0/24 and assign it to that normal 
site
For the DCs in thelag site you create the 
"subnets": 10.1.1.1/32  10.1.1.2/32and assign it to that lag 
site

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, March 03, 2006 16:29To: 
  ActiveSubject: [ActiveDir] AD Lag Sites
  
  Single Forest, Single Domain, W2K3 FFL 
  
  
  I am thinking about setting up a lag site for DR 
  purposes. 
  
  Just for clarification purposes, would I need a 
  separate IP subnet i.eIP subnetthat isn't assigned to any other 
  site in ADto create this?
  
  All my existing IP Subnets are assigned to 
  existing Sites which are used for normal replication, so I am assuming my 
  question will result in a yes. 
  
  Does anyone have any recommended guides to follow
  
  thanks frank
  
  
  Relax. Yahoo! Mail virus 
  scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread John Roberts 



Here's a good explanation of the setup.
http://www.windowsitpro.com/Windows/Articles/ArticleID/42932/pg/1/1.html

You are required to some how isolate the delayed servers in 
a unique site to control the replication window. The subnet scope can be as 
narrow astheip address of the 
DC.
The last setup I used was 2 delayed DCs running on Virtual 
Server, each with a 7 day replication lag. This allowed us to restore object 
deleted up to 14 days ago.

John Roberts
JLR Technology Solutions


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, March 03, 2006 10:29 AMTo: 
ActiveSubject: [ActiveDir] AD Lag Sites

Single Forest, Single Domain, W2K3 FFL 


I am thinking about setting up a lag site for DR 
purposes. 

Just for clarification purposes, would I need a 
separate IP subnet i.eIP subnetthat isn't assigned to any other site 
in ADto create this?

All my existing IP Subnets are assigned to existing 
Sites which are used for normal replication, so I am assuming my question will 
result in a yes. 

Does anyone have any recommended guides to follow

thanks frank


Relax. Yahoo! Mail virus 
scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Ulf B. Simon-Weidner 



As Jorge mentioned you do not have to follow your physical 
subnets for Lag-Sites. Usually you would use that as a guideline, but for 
lag-sites you can do a sub-subnetting. AD replication does not care about the 
physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares 
what you have configured in the sites, subnets and what IP the DC is using. So 
you can in a 10.1.x.x network you could configure all servers with 10.1.x.x 
IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in 
one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 
10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask 
for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 
10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication 
will do what you wanted it to do, even without the need for 
routing.

However - and this was the main reason why I wanted to 
follow up on this - remember that one lag-site might not be enough. Imagine you 
configure your lag-site to replicate everythursday 6pm. So if someone 
makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on 
Wednesday and are able to rollback this OU (authoritative restore on the lag 
site, then force replication). However if someone deletes a OU on thursday, and 
you recognize it on friday (or even thursday 7pm) you have to restore a server 
from tape first, because your only lag-site has already replicated that 
deletion.

What I prefer is creating two lag-sites, one which 
replicates in the middle of the week and one which replicates on the weekend. No 
matter when the error will be performed (even right before replication of one of 
the lag-sites), we always have a at least half week old copy of the AD 
intheone of theLag-Site. And I've even heard fromsomeone 
using seven lag-sites for every day in the week. Perhaps he's jumping into this 
thread later ;-)

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: 
  ActiveSubject: [ActiveDir] AD Lag Sites
  
  Single Forest, Single Domain, W2K3 FFL 
  
  
  I am thinking about setting up a lag site for DR 
  purposes. 
  
  Just for clarification purposes, would I need a 
  separate IP subnet i.eIP subnetthat isn't assigned to any other 
  site in ADto create this?
  
  All my existing IP Subnets are assigned to 
  existing Sites which are used for normal replication, so I am assuming my 
  question will result in a yes. 
  
  Does anyone have any recommended guides to follow
  
  thanks frank
  
  
  Relax. Yahoo! Mail virus 
  scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread neil.ruston 



Ideally, you would place the DR DCs in a separate DR 
location (for obvious reasons)which would have its own set of subnets 
assigned. This approach caters for true DR as well as object recovery from a lag 
site.

If not possible, then Jorge's approach will work (although 
true DR is not catered for IMO).

Are you trying to design for full DR or just recovery of 
objects via a lag site (or both)?

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: 03 March 2006 15:29To: 
ActiveSubject: [ActiveDir] AD Lag Sites

Single Forest, Single Domain, W2K3 FFL 


I am thinking about setting up a lag site for DR 
purposes. 

Just for clarification purposes, would I need a 
separate IP subnet i.eIP subnetthat isn't assigned to any other site 
in ADto create this?

All my existing IP Subnets are assigned to existing 
Sites which are used for normal replication, so I am assuming my question will 
result in a yes. 

Does anyone have any recommended guides to follow

thanks frank


Relax. Yahoo! Mail virus 
scanning helps detect nasty viruses!PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments.  NIplc

does not provide investment services to private customers.  Authorised and

regulated by the Financial Services Authority.  Registered in England

no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Almeida Pinto, Jorge de 



7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can 
undelete the deleted objects and restore (push back) the 
attributes?jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: Friday, March 03, 2006 16:59To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
  Sites
  
  As Jorge mentioned you do not have to follow your 
  physical subnets for Lag-Sites. Usually you would use that as a guideline, but 
  for lag-sites you can do a sub-subnetting. AD replication does not care about 
  the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just 
  cares what you have configured in the sites, subnets and what IP the DC is 
  using. So you can in a 10.1.x.x network you could configure all servers with 
  10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all 
  servers in one lagsite in the same "virtual subnet" 10.1.9.x and all 
  production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default 
  gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets 
  in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to 
  the lag-site. AD-Replication will do what you wanted it to do, even without 
  the need for routing.
  
  However - and this was the main reason why I wanted to 
  follow up on this - remember that one lag-site might not be enough. Imagine 
  you configure your lag-site to replicate everythursday 6pm. So if 
  someone makes an error deleting a whole OU on e.g. Tuesday, you are 
  recognizing it on Wednesday and are able to rollback this OU (authoritative 
  restore on the lag site, then force replication). However if someone deletes a 
  OU on thursday, and you recognize it on friday (or even thursday 7pm) you have 
  to restore a server from tape first, because your only lag-site has already 
  replicated that deletion.
  
  What I prefer is creating two lag-sites, one which 
  replicates in the middle of the week and one which replicates on the weekend. 
  No matter when the error will be performed (even right before replication of 
  one of the lag-sites), we always have a at least half week old copy of the AD 
  intheone of theLag-Site. And I've even heard 
  fromsomeone using seven lag-sites for every day in the week. Perhaps 
  he's jumping into this thread later ;-)
  
  Gruesse - Sincerely, 
  
  Ulf B. Simon-Weidner 
   MVP-Book "Windows XP - Die 
  Expertentipps": http://tinyurl.com/44zcz Weblog: 
  http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: 
    ActiveSubject: [ActiveDir] AD Lag Sites

Single Forest, Single Domain, W2K3 FFL 


I am thinking about setting up a lag site for 
DR purposes. 

Just for clarification purposes, would I need a 
separate IP subnet i.eIP subnetthat isn't assigned to any other 
site in ADto create this?

All my existing IP Subnets are assigned to 
existing Sites which are used for normal replication, so I am assuming my 
question will result in a yes. 

Does anyone have any recommended guides to follow

thanks frank


Relax. Yahoo! Mail virus 
scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Brian Desmond 








Pizza boxes are available from Dell for like under 2 grand rack rate most
days, so thats probably questionable. 





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Friday, March 03, 2006 11:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites





7 lag sites? holy sh*t!

would it be much cheaper to use a
solution that can undelete the deleted objects and restore (push back) the
attributes?

jorge







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites

As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same virtual
subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x.
Remember that all have the default gateway and subnet mask for 10.1.x.x. But
now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site. AD-Replication will do what you
wanted it to do, even without the need for routing.



However - and this was the main reason
why I wanted to follow up on this - remember that one lag-site might not be
enough. Imagine you configure your lag-site to replicate everythursday
6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.



What I prefer is creating two lag-sites,
one which replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week old
copy of the AD intheone of theLag-Site. And I've even heard
fromsomeone using seven lag-sites for every day in the week. Perhaps he's
jumping into this thread later ;-)







Gruesse
- Sincerely, 

Ulf
B. Simon-Weidner 


MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org
 Profile:http://mvp.support.microsoft.com/profile="">

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29
PM
To: Active
Subject: [ActiveDir] AD Lag Sites



Single Forest, Single Domain,
W2K3 FFL 











I am thinking about setting up a lag site for DR purposes.












Just for clarification purposes, would I need a separate IP
subnet i.eIP subnetthat isn't assigned to any other site in
ADto create this?











All my existing IP Subnets are assigned to existing Sites
which are used for normal replication, so I am assuming my question will result
in a yes. 











Does anyone have any recommended guides to follow











thanks frank









Relax. Yahoo! Mail virus
scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Brian Desmond 








You can also just define /32 aka host subnets. So you create Lag Site 1,
and subnet 10.1.2.3 255.255.255.255 (the IP of your lag dc).





Thanks,
Brian Desmond

[EMAIL PROTECTED]



c -
312.731.3132

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 10:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites





As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same virtual
subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x.
Remember that all have the default gateway and subnet mask for 10.1.x.x. But
now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site. AD-Replication will do what you
wanted it to do, even without the need for routing.



However - and this was the main reason
why I wanted to follow up on this - remember that one lag-site might not be
enough. Imagine you configure your lag-site to replicate everythursday
6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.



What I prefer is creating two lag-sites,
one which replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week old
copy of the AD intheone of theLag-Site. And I've even heard
fromsomeone using seven lag-sites for every day in the week. Perhaps he's
jumping into this thread later ;-)







Gruesse
- Sincerely, 

Ulf
B. Simon-Weidner 


MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org
 Profile:http://mvp.support.microsoft.com/profile="">

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29
PM
To: Active
Subject: [ActiveDir] AD Lag Sites



Single Forest, Single Domain,
W2K3 FFL 











I am thinking about setting up a lag site for DR purposes.












Just for clarification purposes, would I need a separate IP
subnet i.eIP subnetthat isn't assigned to any other site in
ADto create this?











All my existing IP Subnets are assigned to existing Sites
which are used for normal replication, so I am assuming my question will result
in a yes. 











Does anyone have any recommended guides to follow











thanks frank









Relax. Yahoo! Mail virus
scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Tony Murray 



I think Rick Kingslan did something like this with virtual 
machines. I'll ping him to see if he has any comment.

Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge deSent: Saturday, 4 March 2006 5:17 a.m.To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
Sites

7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can 
undelete the deleted objects and restore (push back) the 
attributes?jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: Friday, March 03, 2006 16:59To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
  Sites
  
  As Jorge mentioned you do not have to follow your 
  physical subnets for Lag-Sites. Usually you would use that as a guideline, but 
  for lag-sites you can do a sub-subnetting. AD replication does not care about 
  the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just 
  cares what you have configured in the sites, subnets and what IP the DC is 
  using. So you can in a 10.1.x.x network you could configure all servers with 
  10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all 
  servers in one lagsite in the same "virtual subnet" 10.1.9.x and all 
  production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default 
  gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets 
  in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to 
  the lag-site. AD-Replication will do what you wanted it to do, even without 
  the need for routing.
  
  However - and this was the main reason why I wanted to 
  follow up on this - remember that one lag-site might not be enough. Imagine 
  you configure your lag-site to replicate everythursday 6pm. So if 
  someone makes an error deleting a whole OU on e.g. Tuesday, you are 
  recognizing it on Wednesday and are able to rollback this OU (authoritative 
  restore on the lag site, then force replication). However if someone deletes a 
  OU on thursday, and you recognize it on friday (or even thursday 7pm) you have 
  to restore a server from tape first, because your only lag-site has already 
  replicated that deletion.
  
  What I prefer is creating two lag-sites, one which 
  replicates in the middle of the week and one which replicates on the weekend. 
  No matter when the error will be performed (even right before replication of 
  one of the lag-sites), we always have a at least half week old copy of the AD 
  intheone of theLag-Site. And I've even heard 
  fromsomeone using seven lag-sites for every day in the week. Perhaps 
  he's jumping into this thread later ;-)
  
  Gruesse - Sincerely, 
  
  Ulf B. Simon-Weidner 
   MVP-Book "Windows XP - Die 
  Expertentipps": http://tinyurl.com/44zcz Weblog: 
  http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: 
    ActiveSubject: [ActiveDir] AD Lag Sites

Single Forest, Single Domain, W2K3 FFL 


I am thinking about setting up a lag site for 
DR purposes. 

Just for clarification purposes, would I need a 
separate IP subnet i.eIP subnetthat isn't assigned to any other 
site in ADto create this?

All my existing IP Subnets are assigned to 
existing Sites which are used for normal replication, so I am assuming my 
question will result in a yes. 

Does anyone have any recommended guides to follow

thanks frank


Relax. Yahoo! Mail virus 
scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Almeida Pinto, Jorge de 
When talking about a software solution to restore deleted objects I know 
about:
Netpro's RestoreADmin
Quest's Recovery Manage for AD
 
I don't know the price of both products (I guess per managed object or 
something like that) but I would be interested in knowing where the break even 
point is compared to a hardware solution.
 
And for a hardware solution you can use:
* just hardware, where you need at least 1 DC per domain in the lag site (for 
each day of the week that would be 7 DCs per domain) (not forgetting licensing 
for the server OS)
* hardware combined with software (e.g. ESX/GSX or virtual server)  (not 
forgetting licensing for the server OS and the the virtual solution)
 
I'm very interested in hearing what folks have chosen and how much it costs and 
of course why that particular solution. Of course don't forget to mention the 
type of environment and size
 
but let's start by pinging Rick...
 
ping rick.kingslan.microsoft
 
;-)
 
jorge



From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Fri 2006-03-03 19:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


I think Rick Kingslan did something like this with virtual machines.  I'll ping 
him to see if he has any comment.
 
Tony



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Saturday, 4 March 2006 5:17 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can undelete the deleted 
objects and restore (push back) the attributes?
jorge




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


As Jorge mentioned you do not have to follow your physical subnets for 
Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can 
do a sub-subnetting. AD replication does not care about the physical structure 
or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have 
configured in the sites, subnets and what IP the DC is using. So you can in a 
10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with 
a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in 
the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 
10.1.8.x. Remember that all have the default gateway and subnet mask for 
10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 
10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication 
will do what you wanted it to do, even without the need for routing.
 
However - and this was the main reason why I wanted to follow up on 
this - remember that one lag-site might not be enough. Imagine you configure 
your lag-site to replicate every thursday 6pm. So if someone makes an error 
deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and 
are able to rollback this OU (authoritative restore on the lag site, then force 
replication). However if someone deletes a OU on thursday, and you recognize it 
on friday (or even thursday 7pm) you have to restore a server from tape first, 
because your only lag-site has already replicated that deletion.
 
What I prefer is creating two lag-sites, one which replicates in the 
middle of the week and one which replicates on the weekend. No matter when the 
error will be performed (even right before replication of one of the 
lag-sites), we always have a at least half week old copy of the AD in the one 
of the Lag-Site. And I've even heard from someone using seven lag-sites for 
every day in the week. Perhaps he's jumping into this thread later ;-)
 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz 
http://tinyurl.com/44zcz 
  Weblog: http://msmvps.org/UlfBSimonWeidner 
http://msmvps.org/UlfBSimonWeidner 
  Website: http://www.windowsserverfaq.org 
http://www.windowsserverfaq.org/ 
  Profile:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D 
   

 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Frank Abagnale
Sent: Friday, March 03, 2006 4:29 PM
To: Active
Subject: [ActiveDir] AD Lag Sites


Single Forest, Single Domain, W2K3 FFL 
 
I am thinking about setting up a lag site for DR purposes. 
 
Just

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread David Adner 
I think you're trying to compare apples and oranges.  Yes, both solutions
can help reduce the time it takes to perform a restore (give a specific
scenario), but that's basically it.  Lag sites are single snapshots based on
the number of lag sites you deploy.  The products you mention below are true
backup solutions that you could, if you wanted to, perform hourly, daily,
weekly, etc backups, all of which can be restored as needed.  They also
typically allow attribute level restores.
 
So if lag sites are N dollars and the software is Y dollars it doesn't
really say much.  You need to evaluate your own restore requirements and
budget to determine what's best.  It's my opinion most customers don't need
lag sites and that it's a distraction from the normal backup processes
they're probably failing to properly implement.  But that's just me.


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, March 03, 2006 1:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


When talking about a software solution to restore deleted objects I know
about:
Netpro's RestoreADmin
Quest's Recovery Manage for AD
 
I don't know the price of both products (I guess per managed object or
something like that) but I would be interested in knowing where the break
even point is compared to a hardware solution.
 
And for a hardware solution you can use:
* just hardware, where you need at least 1 DC per domain in the lag site
(for each day of the week that would be 7 DCs per domain) (not forgetting
licensing for the server OS)
* hardware combined with software (e.g. ESX/GSX or virtual server)  (not
forgetting licensing for the server OS and the the virtual solution)
 
I'm very interested in hearing what folks have chosen and how much it costs
and of course why that particular solution. Of course don't forget to
mention the type of environment and size
 
but let's start by pinging Rick...
 
ping rick.kingslan.microsoft
 
;-)
 
jorge

  _  

From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Fri 2006-03-03 19:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


I think Rick Kingslan did something like this with virtual machines.  I'll
ping him to see if he has any comment.
 
Tony

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Saturday, 4 March 2006 5:17 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can undelete the deleted
objects and restore (push back) the attributes?
jorge


  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag Sites


As Jorge mentioned you do not have to follow your physical subnets for
Lag-Sites. Usually you would use that as a guideline, but for lag-sites you
can do a sub-subnetting. AD replication does not care about the physical
structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what
you have configured in the sites, subnets and what IP the DC is using. So
you can in a 10.1.x.x network you could configure all servers with 10.1.x.x
IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers
in one lagsite in the same virtual subnet 10.1.9.x and all production
Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway
and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD,
and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the
lag-site. AD-Replication will do what you wanted it to do, even without the
need for routing.
 
However - and this was the main reason why I wanted to follow up on this -
remember that one lag-site might not be enough. Imagine you configure your
lag-site to replicate every thursday 6pm. So if someone makes an error
deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and
are able to rollback this OU (authoritative restore on the lag site, then
force replication). However if someone deletes a OU on thursday, and you
recognize it on friday (or even thursday 7pm) you have to restore a server
from tape first, because your only lag-site has already replicated that
deletion.
 
What I prefer is creating two lag-sites, one which replicates in the middle
of the week and one which replicates on the weekend. No matter when the
error will be performed (even right before replication of one of the
lag-sites), we always have a at least half week old copy of the AD in the
one of the Lag-Site. And I've even heard from someone using seven lag-sites
for every day in the week. Perhaps he's jumping into this thread later ;-)
 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps:  http://tinyurl.com/44zcz
http://tinyurl.com/44zcz
  Weblog:  http://msmvps.org

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Ulf B. Simon-Weidner 



Think virtualisation - where I've implemented lag-sites 
they are running on VMs. The software-solutions I was looking at at this point 
were way more expensive than running 4 DCs virtualized on the same machine (1 
root-dc and one account-dc per lag-site).

I do not agree that lag-sites need to run in a physical 
separate site. I do agree that you want two datacenters which are physically 
separate, however if one DC burns down you usually do not need lag-sites (the 
AD-Info is still in the other datacenter or in a branch), if all datacenter plus 
branches are burned down you don't need a lag-site - you need a working backup 
which isn't burned.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Friday, March 03, 2006 5:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
  Sites
  
  7 lag sites? holy sh*t!
  would it be much cheaper to use a solution that can 
  undelete the deleted objects and restore (push back) the 
  attributes?jorge
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Friday, March 03, 2006 16:59To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
Sites

As Jorge mentioned you do not have to follow your 
physical subnets for Lag-Sites. Usually you would use that as a guideline, 
but for lag-sites you can do a sub-subnetting. AD replication does not care 
about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - 
it just cares what you have configured in the sites, subnets and what IP the 
DC is using. So you can in a 10.1.x.x network you could configure all 
servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however 
you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x 
and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have 
the default gateway and subnet mask for 10.1.x.x. But now you create the 
virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, 
and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to 
do, even without the need for routing.

However - and this was the main reason why I wanted to 
follow up on this - remember that one lag-site might not be enough. Imagine 
you configure your lag-site to replicate everythursday 6pm. So if 
someone makes an error deleting a whole OU on e.g. Tuesday, you are 
recognizing it on Wednesday and are able to rollback this OU (authoritative 
restore on the lag site, then force replication). However if someone deletes 
a OU on thursday, and you recognize it on friday (or even thursday 7pm) you 
have to restore a server from tape first, because your only lag-site has 
already replicated that deletion.

What I prefer is creating two lag-sites, one which 
replicates in the middle of the week and one which replicates on the 
weekend. No matter when the error will be performed (even right before 
replication of one of the lag-sites), we always have a at least half week 
old copy of the AD intheone of theLag-Site. And I've even 
heard fromsomeone using seven lag-sites for every day in the week. 
Perhaps he's jumping into this thread later ;-)

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die 
Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank 
  AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: 
  ActiveSubject: [ActiveDir] AD Lag Sites
  
  Single Forest, Single Domain, W2K3 FFL 
  
  
  I am thinking about setting up a lag site for 
  DR purposes. 
  
  Just for clarification purposes, would I need 
  a separate IP subnet i.eIP subnetthat isn't assigned to any 
  other site in ADto create this?
  
  All my existing IP Subnets are assigned to 
  existing Sites which are used for normal replication, so I am assuming my 
  question will result in a yes. 
  
  Does anyone have any recommended guides to follow
  
  thanks frank
  
  
  Relax. Yahoo! Mail virus 
  scanning helps detect nasty 
viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Myrick, Todd \(NIH/CC/DNA\) [E] 








Agreed.



Not a big fan of the Lag-Site,
I think it potentially has the ability to create more problems. At least
MS added some limited functionality in 2003, now if they would just finish the
job in Vista this topic might goto rest. (Are you there Stewart?) 



I do see value in Creative Subnetting,
when it comes to establishing multiple sites on a physical network segment to get
the KCC to replicate in a more deterministic manner. Fun to do in the
classroom too when teaching subnetting.



Todd Myrick











From: Almeida Pinto,
Jorge de [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 03, 2006 11:17
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites





7 lag sites? holy sh*t!

would it be much cheaper to use a
solution that can undelete the deleted objects and restore (push back) the
attributes?

jorge







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Lag
Sites

As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same virtual
subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember
that all have the default gateway and subnet mask for 10.1.x.x. But now you
create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site. AD-Replication will do what you
wanted it to do, even without the need for routing.



However - and this was the main reason
why I wanted to follow up on this - remember that one lag-site might not be
enough. Imagine you configure your lag-site to replicate everythursday
6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.



What I prefer is creating two lag-sites,
one which replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week old
copy of the AD intheone of theLag-Site. And I've even heard
fromsomeone using seven lag-sites for every day in the week. Perhaps he's
jumping into this thread later ;-)







Gruesse
- Sincerely, 

Ulf
B. Simon-Weidner 


MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org
 Profile:http://mvp.support.microsoft.com/profile="">

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29
PM
To: Active
Subject: [ActiveDir] AD Lag Sites



Single Forest, Single Domain,
W2K3 FFL 











I am thinking about setting up a lag site for DR purposes.












Just for clarification purposes, would I need a separate IP
subnet i.eIP subnetthat isn't assigned to any other site in
ADto create this?











All my existing IP Subnets are assigned to existing Sites
which are used for normal replication, so I am assuming my question will result
in a yes. 











Does anyone have any recommended guides to follow











thanks frank









Relax. Yahoo! Mail virus
scanning helps detect nasty viruses!

RE: [ActiveDir] AD Lag Sites

2006-03-03 Thread Grillenmeier, Guido 



an important factor is missing in this discussion - 
theoportunity and costs forleveraging lagsites highly depends on 
your forest structure. Even though you can use virtualization to reduce 
the number of physical boxes required to host a DC in a lagsite, you still need 
to host at least one per domain. As was pointed out before, if your goal was to 
recover from accidental deletions it certainly makes even more sense if you use 
two per domain with overlapping schedules in different sites, so that you'd 
theoretically always have a window of opportunity to recover the data from a 
lagsite even if the changes (such as deletion of objects) has just been 
replicated into one of the lagsites.

the number of domains in your forest will not only increase 
the number of (physical or virtual) DCs you need to host in your lagsite(s), but 
as soon as you have more than one domain, the work to be done to recover the 
objects and it's complexity increases dramatically due to the cross-domain 
dependencies. You typically have to perform restore activities on a DC from 
every domain (think "recovery of a user's group-membership" [1]). So what's 
often fairly feasable for performing restores a single domain forest, can become 
quite a pain point for multi-domain forests. In the end the full recovery of an 
object involves so much work, that you'd rather not do it if "just a simple 
user" is accidentally deleted.VIP users may be an exception and so will 
the deletion of a whole OU. This is where 
I'd say online recovery tools (such as those offered by NetPro and Quest) make a 
big difference - these will take care of restoring the objects in a domain incl. 
the necessary cross-domain data and you wouldn't hesitate to use them even for 
the least important user or group or many other objects.

realize that no matter how many domains you have, a lagsite 
can only protect you "so much" from accidental deletion. It doesn't offer full 
protection from replicating unwanted changes into the lagsite - forced 
replication doesn't care about a lagsite's schedule or about a disabled 
connection object = you can still force bad changes into a lagsite anytime, 
if the DCs are running and available on the NW. So you'd only gain real 
protection by isolating the lagsite DCs from the NW (either done physically or 
via some timed script that enables/disables the NIC). 

this is not to say that I think lagsites (and specifically 
running DCs in VMs in lagsites) shouldn't be used at all - you should just 
realize that they may not be able to help for all DR occasions. They are sill a 
helpful tool to ensure a fast recovery from other failures, such as 
site-failuresor potentially domain or forest failures (for single domain 
forests even for object recovery). For multi-domain forests, they could well be 
a part of your overall DR plan - but I also highly recommend checking out the 
online recovery tools for those object (or attribute) recovery situations, that 
potentially happen more often.

/Guido


[1] 
if you're unaware of the issues with restoring group memberships in multi-domain 
environments have a look at the following whitepaper:

http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf 






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of David 
AdnerSent: Freitag, 3. März 2006 20:47To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
Sites

I think you're trying to compare apples and oranges. 
Yes, both solutions can help reduce the time it takes to perform a restore (give 
a specific scenario), but that's basically it. Lag sites are single 
snapshots based on the number of lag sites you deploy. The products you 
mention below are true backup solutions that you could, if you wanted to, 
perform hourly, daily, weekly, etcbackups, all of which can be restored as 
needed. They also typically allow attribute level 
restores.

So if lag sites are N dollars and the software is Y dollars 
it doesn't really say much. You need to evaluate your own restore 
requirements and budget to determine what's best. It's my opinion most 
customers don't need lag sites and that it's a distraction from the normal 
backup processes they're probably failing to properly implement. But 
that's just me.

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
  Jorge deSent: Friday, March 03, 2006 1:20 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag 
  Sites
  
  
  When talking about "a 
  software solution to restore deleted objects" I know about:
  Netpro's RestoreADmin
  Quest's Recovery Manage for 
  AD
  
  I don't know the price of both products 
  (I guess per managed object or something like that) but I would be interested 
  in knowing where the break even point is compared to a hardware 
  solution.
  
  And for a hardware solution you can 
  use:
  * just hardware, where you need at