RE: [ActiveDir] AD lag sites and replication
Thanks Mark. I'll take a look at that option... As to why I feel this may be an issue - let's just say I work in a company that has 4 autonomous infras today, which are all coming together soon under one new infra. [I'm the poor sucker tasked with designing this new infra as well as the new support model and policies and procedures etc etc!] There will be a number of service admins across the globe, most of which I have no jurisdiction over, as of today. The level of trust between the 4 'areas' will likely grow in time, but initially we need to have a very strong degree of control and monitoring within the env so as to ensure that admins are doing what they are supposed to do and also that they are not impacting other areas. [To that end, I'm evalling various tools in spaces such as GPO, security monitoring and such like.] I know this all sounds as tho we need to stick with multi forests until we have better collaboration and trust in place, but it's never that easy since politics is mixed in with technical arguments. The project described above is being used as a guinea pig or sounding board too. If we succeed, then we'll be used as an example for future global projects within the firm [no pressure then!] Thanks to all for the great feedback. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 30 May 2006 16:17 To: ActiveDir.org Subject: Re: [ActiveDir] AD lag sites and replication Neil, You could always hack the replication epoch values - but then again.. M -Original Message- From: Dave Wade [EMAIL PROTECTED] Date: Tue, 30 May 2006 14:36:34 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Al, Sorry, I mis-read it. I thought it was just controlling bandwith, but now I look its specific lag. However I still think that this could be dangerous and cause more problems than it solves. Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 30 May 2006 13:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD lag sites and replication I think that's point, isn't it? To be able to have a site that lags the rest of them for replication changes? :) FWIW, there is no way that I'm aware of to prevent an admin from triggering replication in the sense that an admin could override any changes you make to be able that would otherwise allow them to trigger the replication. While you may counter that you're just trying to prevent the admin from doing something easily i.e. make them work to override the change, I read into this that you want to absolutely prevent them from triggering replication. For that, you need to look outside the system they have rights on else change them from DA to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA should be able to be that trusted, but reality often differs from desire. Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. Al On 5/30/06, Dave Wade [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes? Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL
RE: [ActiveDir] AD lag sites and replication
Return Receipt Your RE: [ActiveDir] AD lag sites and replication document: wasJustin Leney/US/DCI received by: at:05/31/2006 09:37:26 AM NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL. FREE TRIAL AT HTTP://WWW.COSMEO.COM This e-mail, and any attachment, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views which are not the views of Discovery Communications, Inc. (DCI). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication You can look at the ACLs on your NC Head objects to see who can do what, but last I checked, it didn't even take domain admins to force replication, a normal administrator account could do it. Anyway, an admin or a domain admin could always escalate to enterprise admin if they needed it. In my mind, anyone who has any of those admin IDs is an Enterprise Admin in my head. In fact even if they have Acc Op or Srv Op they are practically EAs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, May 31, 2006 3:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Joe, I thought" (and its a long time since I looked) that you needed to be an enterprise admin to force replication in AD Sites and Services... You can force replication in the domain context in replmon. I guess that this begs another question 1. Are you trying to stop replication in all replication contexts? Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 31 May 2006 00:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication I am confused by your #2. Are you saying that admins can't force replication outside of the normal replication periods? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Tuesday, May 30, 2006 6:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that "normal admins" can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 11:32To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to i
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication 1) We are talking about blocking the replication to and from a lag-site, and the good thing about using a firewall is that we are able to block users and memberservers authenticating against the lag-site. You do not want anyone to authenticate against a lag-site DC. So urgent replication is not a issue 2) Agree to Joe here Im quite sure that the rights to force replication are available for at least dom-admins, and Im very sure that no matter how many you have (OK more than yourself) they will forget not to trigger forced replication sometime. 3) Lag-Sites dont make any sense if they do replicate in between the scheduled times so in this scenario you may worry about both. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Tuesday, May 30, 2006 12:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 09:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this e
[ActiveDir] AD lag sites and replication
Title: AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or ta
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that "normal admins" can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 11:32To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and d
Re: [ActiveDir] AD lag sites and replication
I think that's point, isn't it? To be able to have a site that lags the rest of them for replication changes? :) FWIW, there is no way that I'm aware of to prevent an admin from triggering replication in the sense that an admin could override any changes you make to be ablethat would otherwise allow them totrigger the replication. While you may counter that you're just trying to prevent the admin from doing something easily i.e. make them work to override the change, I read into this that you want to absolutely prevent them from triggering replication. For that, you need to look outside the system they have rights on else change them from DA to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA should be able to be that trusted, but reality often differs from desire. Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. Al On 5/30/06, Dave Wade [EMAIL PROTECTED] wrote: Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes? Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not co
RE: [ActiveDir] AD lag sites and replication
Al, Sorry, I mis-read it. I thought it was just controlling bandwith, but now I look its specific lag. However I still think that this could be dangerous and cause more problems than it solves. Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 30 May 2006 13:53To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD lag sites and replication I think that's point, isn't it? To be able to have a site that lags the rest of them for replication changes? :) FWIW, there is no way that I'm aware of to prevent an admin from triggering replication in the sense that an admin could override any changes you make to be ablethat would otherwise allow them totrigger the replication. While you may counter that you're just trying to prevent the admin from doing something easily i.e. make them work to override the change, I read into this that you want to absolutely prevent them from triggering replication. For that, you need to look outside the system they have rights on else change them from DA to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA should be able to be that trusted, but reality often differs from desire. Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. Al On 5/30/06, Dave Wade [EMAIL PROTECTED] wrote: Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes? Do you really want to wait two days before you update these?. 2) I don't think that "normal admins" can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTEC
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication This may be further out on the unsupported limb than you want to crawl, but IIRC Deanreferenced an alternative to lag sites in his part of the joe and Dean show at DEC. You could schedule a script that toggles the replication epoch value and during "off-hours", nothing (and nobody)will be able to force replication without setting the epoch back first. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 2:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is soug
Re: [ActiveDir] AD lag sites and replication
Neil, You could always hack the replication epoch values - but then again.. M -Original Message- From: Dave Wade [EMAIL PROTECTED] Date: Tue, 30 May 2006 14:36:34 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Al, Sorry, I mis-read it. I thought it was just controlling bandwith, but now I look its specific lag. However I still think that this could be dangerous and cause more problems than it solves. Dave. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 30 May 2006 13:53 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD lag sites and replication I think that's point, isn't it? To be able to have a site that lags the rest of them for replication changes? :) FWIW, there is no way that I'm aware of to prevent an admin from triggering replication in the sense that an admin could override any changes you make to be able that would otherwise allow them to trigger the replication. While you may counter that you're just trying to prevent the admin from doing something easily i.e. make them work to override the change, I read into this that you want to absolutely prevent them from triggering replication. For that, you need to look outside the system they have rights on else change them from DA to OU admin. The other alternative is to trust them not to make that change without knowing what they're doing. An easy argument that anyone with DA should be able to be that trusted, but reality often differs from desire. Admins, by design have rights to the system. As such, they have rights to make those changes that allow them to, well, make changes. Al On 5/30/06, Dave Wade [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes? Do you really want to wait two days before you update these?. 2) I don't think that normal admins can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 11:32 To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as locked down replication schedules - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] Sent: Tuesday, May 30, 2006 10:33 AM To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Ulf B. Simon-Weidner Sent: 30 May 2006 09:01 To: ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons
RE: [ActiveDir] AD lag sites and replication
Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] AD lag sites and replication
Imagine a glass ceiling with a girl in a skirt standing on it\man in a kilt standing on it and you're standing under the ceiling someone tells you not to look up. Do you not lookup or at somepoint lookup ? - even if you did not mean to - via a mirror or some other third party method. The fact that you can means at somestage you may do what you were not supposed to see even if if you had no intention of doing so. Applying this analogy to Mr Rustons scenario they may be trusted and do it or they may have no intention of doing so - but have the interlect of a tibetian Yak and do it anyway. Another Guinness please.. -Original Message- From: Molkentin, Steve [EMAIL PROTECTED] Date: Wed, 31 May 2006 02:52:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
RE: [ActiveDir] AD lag sites and replication
I have to agree to the second option - they may not even know that they do it. Over the time people tend to forget about lag sites, want to force replication once in a while, and what the ... Are those checkboxes in replmon for? Do I want the information to replicate across sites? Sure! And right after hitting OK there's a head banging against the monitor-sound - Aahrg - Lag sites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, May 30, 2006 7:26 PM To: ActiveDir.org Subject: Re: [ActiveDir] AD lag sites and replication Imagine a glass ceiling with a girl in a skirt standing on it\man in a kilt standing on it and you're standing under the ceiling someone tells you not to look up. Do you not lookup or at somepoint lookup ? - even if you did not mean to - via a mirror or some other third party method. The fact that you can means at somestage you may do what you were not supposed to see even if if you had no intention of doing so. Applying this analogy to Mr Rustons scenario they may be trusted and do it or they may have no intention of doing so - but have the interlect of a tibetian Yak and do it anyway. Another Guinness please.. -Original Message- From: Molkentin, Steve [EMAIL PROTECTED] Date: Wed, 31 May 2006 02:52:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED] r¯zm§ÿðÃœ¶+Þv*è®æ—ûa汫) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] AD lag sites and replication
While I agree that it could happen by accident, I think having that admin poking around and doing such things is likely not the person I want on my admin team. Credentials would be a tougher[1] thing to come by if that were expected behavior. [1] thinkborrowing all the gold of Africa difficult Nonetheless, if it's not prevented from happeningit must not be a real requirement, just like in the real world right? :) Kind of like having a rule but not enforcing it. On 5/30/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: I have to agree to the second option - they may not even know that they do it. Over the time people tend to forget about lag sites, want to force replication once in a while, and what the ... Are those checkboxes in replmon for? Do I want the information to replicate across sites? Sure! And right after hitting OK there's a head banging against the monitor-sound - Aahrg - Lag sites.Gruesse - Sincerely,Ulf B. Simon-WeidnerProfile Publications: http://mvp.support.microsoft.com/profile="">Weblog: http://msmvps.org/UlfBSimonWeidnerWebsite: http://www.windowsserverfaq.org-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Mark ParrisSent: Tuesday, May 30, 2006 7:26 PMTo: ActiveDir.orgSubject: Re: [ActiveDir] AD lag sites and replicationImagine a glass ceiling with a girl in a skirt standing on it\man in a kilt standing on it and you're standing under theceiling someone tells you not to look up. Do you not lookup orat somepointlookup ? - even if you did not mean to - via amirror or some other third party method. The fact that you can means at somestage you may do what you were not supposed tosee even if if you had no intention of doing so. Applying thisanalogy to Mr Rustons scenario they may be trusted and do itor they may have no intention of doing so -but have the interlect of a tibetian Yak and do it anyway. Another Guinnessplease..-Original Message-From: Molkentin, Steve [EMAIL PROTECTED]Date: Wed, 31 May 2006 02:52:28To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above?Tell them not to?Seriously, if something is being put in place for a reason andit is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in aposition of authority to say this is how we'll solve this problem?As always... there are seldom good technological solutions to behavioural problems.Given this is all hypothetical, and yet to be a problem, butyou get what I am regurgitating here.My $0.02 inc GST.themolk.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx[EMAIL PROTECTED]ËŠËE¬§â²Ö«r¯zm§ÿðÃœ¶+Þv*èæ—ûa汫)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] AD lag sites and replication
Al, Could you please translate the English into English? Mark -Original Message- From: Al Mulnick [EMAIL PROTECTED] Date: Tue, 30 May 2006 18:05:06 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD lag sites and replication While I agree that it could happen by accident, I think having that admin poking around and doing such things is likely not the person I want on my admin team. Credentials would be a tougher[1] thing to come by if that were expected behavior. [1] think borrowing all the gold of Africa difficult Nonetheless, if it's not prevented from happening it must not be a real requirement, just like in the real world right? :) Kind of like having a rule but not enforcing it. On 5/30/06, Ulf B. Simon-Weidner [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: I have to agree to the second option - they may not even know that they do it. Over the time people tend to forget about lag sites, want to force replication once in a while, and what the ... Are those checkboxes in replmon for? Do I want the information to replicate across sites? Sure! And right after hitting OK there's a head banging against the monitor-sound - Aahrg - Lag sites. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] ] On Behalf Of Mark Parris Sent: Tuesday, May 30, 2006 7:26 PM To: ActiveDir.org Subject: Re: [ActiveDir] AD lag sites and replication Imagine a glass ceiling with a girl in a skirt standing on it\man in a kilt standing on it and you're standing under the ceiling someone tells you not to look up. Do you not lookup or at somepoint lookup ? - even if you did not mean to - via a mirror or some other third party method. The fact that you can means at somestage you may do what you were not supposed to see even if if you had no intention of doing so. Applying this analogy to Mr Rustons scenario they may be trusted and do it or they may have no intention of doing so - but have the interlect of a tibetian Yak and do it anyway. Another Guinness please.. -Original Message- From: Molkentin, Steve [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] Date: Wed, 31 May 2006 02:52:28 To:ActiveDir@mail.activedir.org: mailto:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED] r¯zm§ÿðÃœ¶+Þv*è®æ—ûa汫) List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx : http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
RE: [ActiveDir] AD lag sites and replication
Title: RE: [ActiveDir] AD lag sites and replication In a company that potentially has more users than some small countries - work it out applying the same logic - let's grant the permission to reset any password to any user. Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? In this scenario the admin is a lazy mother and does not want to restrict password resets - but he can - so reiterating the original question HOW CAN I RESTRICY REPLLICATION? - PEOPLE AND PROCESS are two different animals and if you cant you wont if you can you might!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Molkentin, Steve Sent: 30 May 2006 17:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD lag sites and replication
I would visualize scripts/tools/applications that the admins don't really understand. Possibly it slipped through the integration team without them really understanding how it works. (that never happens huh??) Say an app that does a user creation and the developers figured that they want that ID everywhere quick so it then forces replication which isn't documented (because vendors don't always actually document what their apps do). While I agree that you should be able to trust your admins, for something like this and you shouldn't be using anything you don't understand completely but I would also look for a means to protect myself if it were possible. Certainly it shouldn't be something that you say Wow, since I have that, I can give Elmer Fudd the keys to the castle, anyone who is familiar with me knows I wouldn't say that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Tuesday, May 30, 2006 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD lag sites and replication Neil asked... I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Tell them not to? Seriously, if something is being put in place for a reason and it is explained to them, why would they want to go and work against it? Isn't the person implementing it someone in a position of authority to say this is how we'll solve this problem? As always... there are seldom good technological solutions to behavioural problems. Given this is all hypothetical, and yet to be a problem, but you get what I am regurgitating here. My $0.02 inc GST. themolk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication I am confused by your #2. Are you saying that admins can't force replication outside of the normal replication periods? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Tuesday, May 30, 2006 6:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Neil, 1) If you start setting firewall rules then I am pretty sure you will break things as you will block urgent replication. What happens if some one changes their password and then goes to the home site? What about group membership changes?Do you really want to wait two days before you update these?. 2) I don't think that "normal admins" can trigger unscheduled replication changes. Certainly I am a Domain Admin and I can't trigger replication changes on our infrastructure, but it is Windows/2000 3) IMHO you would be better worrying about getting things to replicate when they are supposed to rather than things replicating when they shouldn't Dave From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 11:32To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Hi Neil, I'd still go for a firewall with scheduled rules. IMHO there's no such thing as "locked down replication schedules" - as soon as someone is hitting a switch to force replication across sites. And the firewall will help you to assure no client is hitting a lag sites DC. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication Thanks Ulf. I was hoping to avoid NIC disabling and such like. I was looking for a solution which would enforce the replication schedule between sites, such that an admin could not 'over ride' it. I'd rather handle the situation with procedures and policies than use scripts to disable NICs (or connection objects) at scheduled times :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: 30 May 2006 09:01To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD lag sites and replication You are able to disable the network interfaces, pretty easy with VMWare or Virtual Server since you are able to do it from the host via scripting, bit more painfull if you have to do it from the DC itself since you don't have any remote access when the nic is disabled (you could use a scheduled task which runs netsh to activate / deactivate the interface). Also putting a firewall with scheduled rules in between would work very well, especially since you can block everything but RDP at the no-sync times. As long as you don't exceed the tombstone-lifetime I don't see any reasons why this should not be supported since we are just talking about lag-sites without any memberservers / clients / users who log onto those DCs. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this messa
RE: [ActiveDir] AD lag sites and replication
Title: AD lag sites and replication As Al indicated,there isn't anything that is going to stop an Admin who is determined to force the replication. However if you are looking to stop accidents you could look at anything that blocks the RPC traffic (IPSEC/Firewall) or disrupts name res for the lag site. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, May 30, 2006 3:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD lag sites and replication I'm looking to implement one or more lag sites, with staggered replication schedules. (i.e. NYC lag replicates tues and thurs, 2-4 am; LON lag replicates mon, wed and fri 2-4 am). We're concerned that admins can still force replication outside of these hours using repadmin or replmon etc. Is there a (supported) way to ensure that replication can ONLY occur within the hours described above? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD Lag Sites
Hi all, Sorry, I am way late weighing in on this one. I implemented some lag sites for our AD and wanted to chime in. We have a small AD - five DCs 4 at our hub and one at a remote office. We have 52 sites but WAN pipes are fast enough so we don't need to distribute DC's. The boss wanted some Security Principal DR.object level recovery. I leveraged our Virtual Server boxes located in our hub site to stand up three additional DCs in three separate sites (lagone, lagtwo and lagthree) all three are GCs. So as you can see the additional cost was only for OS licenses. This cost the City less than putting dual monitors on our desktops. I don't consider my time as an additional cost because I would be working anyway. Lagone replicates on Monday, Lagtwo on Wednesday, and Lagthree on Fridayall three at midnight. Site links are configured as such. I found a script on the net to toggle on / off the NIC, so I use a scheduled task to toggle it on at Midnight, force replication and toggle it off. Turning off inbound replication on the Lagsite servers doesn't stop forced replication from replicating changes to the boxes, hence the reason I toggle the NIC. Ultrasound and MOM bitch a little because they can't communicate with the LAG site servers at all times, but sometimes MOM doesn't know best. Now for recoveryat this shop, as with most other shops I have worked at, our operators don't have the skill sets to perform recoveries..of any type.and don't have the aptitude or desire to learn. Unfortunately this is a government job and we can't just can them. Because the boxes are on Virtual Server I can connect to them remotelyeven with the NIC turned off. Recovery takes around 10 minutes and doesn't require taking down a production DC. With the enhancements in NTDSutil with 2003 SP1 we no longer have to worry about running the authoritative restore twiceonce to recover the user object and the second time to restore the groups the user was a member of. One authoritative restore and bang were done. We don't have a Global ADbut how many shops do? My thought is if you have a global AD you probably have the funding to purchase a third party product. IMO the majority of AD implmentations are small to medium size businesses and probably don't have the funding for say a Quest Recovery Manager. I may have left something out. It has been months since this was implemented. If anyone has any question feel free to contact me. If you can poke holes at my lagsite(s) implementation please do. I learn new stuff everyday Shawn Hayes GCWN, MCSE NT/2000/2003 - Messaging -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Thursday, March 09, 2006 7:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites Cheers Tomasz. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: 08 Mar 2006 21:39 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Lag Sites Wyatt, David wrote: What MS paper? http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4 209-8ED2-E261A117FC6Bdisplaylang=en At the end of this document You will find information how to do this. As Jorge pointed today on our chat on IM this document is not addressing potential SYSVOL issue after such restore so BurFlags should come into play: http://support.microsoft.com/kb/290762 -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] AD Lag Sites
Cheers Tomasz. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: 08 Mar 2006 21:39 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Lag Sites Wyatt, David wrote: What MS paper? http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4 209-8ED2-E261A117FC6Bdisplaylang=en At the end of this document You will find information how to do this. As Jorge pointed today on our chat on IM this document is not addressing potential SYSVOL issue after such restore so BurFlags should come into play: http://support.microsoft.com/kb/290762 -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Sites
/lurkerHi All,Forgive me a second whilst I ramble on 'cos thisIS going to be a ramble, then shoot me down in flames at the end!The problem with DR is getting the data from somewhere. Typically we go back to tape, which depending on when the last successful backup took place gives you a bit of a wide window to play with. Not good if you're going back some 24 hours/days etc...To get better coverage of times we kicked about with lag sites. Trouble is, and this has already been noted, replication and timings can scupper the intentions of lag sites and where do you stop. Is one enough, is one for every hour of the day enough?Microsoft released this white paper on fast recovery with AD using SAN's and disk imaging. http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspxNow, I'm currently playing with using Microsoft's in-built disk snapshotting to provide something similar. So on a pure DC server I've set it up to snapsnot it's disks everyhour. And then I get to chose which hour that I go back to and use as my recovered backup. After all it's the same tech that's used when you actually do a backup.No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting.Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. Oh and I realise that this is way far from perfect.Curious to know if anyone has done this or thought about it if nothing else. Paul.Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800 I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd
RE: [ActiveDir] AD Lag Sites
As I stated earlier, we need to differentiate between object restores (via lag sites) and true DR (which the MS paper deals with). Restoring a user differs to the restoration of a DC, which differs again to the restoration of a domain and/or forest. Objects can be restored using 3rd party tools (which back up the database and all attributes regularly) and/or via lag sites. True DR needs (IMO) a separate physical location, separate physical machines along with DR processes and technologies. Requirements need to be gathered so that the optimal solution can be found. What are you trying to achieve? neilPS I tried to curb my habit of waffling :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: 08 March 2006 13:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites /lurker Hi All, Forgive me a second whilst I ramble on 'cos thisIS going to be a ramble, then shoot me down in flames at the end! The problem with DR is getting the data from somewhere. Typically we go back to tape, which depending on when the last successful backup took place gives you a bit of a wide window to play with. Not good if you're going back some 24 hours/days etc... To get better coverage of times we kicked about with lag sites. Trouble is, and this has already been noted, replication and timings can scupper the intentions of lag sites and where do you stop. Is one enough, is one for every hour of the day enough? Microsoft released this white paper on fast recovery with AD using SAN's and disk imaging. http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx Now, I'm currently playing with using Microsoft's in-built disk snapshotting to provide something similar. So on a pure DC server I've set it up to snapsnot it's disks everyhour. And then I get to chose which hour that I go back to and use as my recovered backup. After all it's the same tech that's used when you actually do a backup. No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting. Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. Oh and I realise that this is way far from perfect. Curious to know if anyone has done this or thought about it if nothing else. Paul. Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800 I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A
Re: [ActiveDir] AD Lag Sites
PAUL MAYES wrote: (...) No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting. Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. (...) You can't use images or snapshots as a backup\recovery solutions for DC because You are risking getting into USN roll-back problem. Search through ActivDir.org archives for USN roll-back and You will find good explanation of this problem. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Sites
Title: Message Hi Paul, do you use the disk snapshots to provide the ability to restore an object or the whole DC (and therefore the whole Active Directory database), or both? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: 08 Mar 2006 13:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites /lurker Hi All, Forgive me a second whilst I ramble on 'cos thisIS going to be a ramble, then shoot me down in flames at the end! The problem with DR is getting the data from somewhere. Typically we go back to tape, which depending on when the last successful backup took place gives you a bit of a wide window to play with. Not good if you're going back some 24 hours/days etc... To get better coverage of times we kicked about with lag sites. Trouble is, and this has already been noted, replication and timings can scupper the intentions of lag sites and where do you stop. Is one enough, is one for every hour of the day enough? Microsoft released this white paper on fast recovery with AD using SAN's and disk imaging. http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx Now, I'm currently playing with using Microsoft's in-built disk snapshotting to provide something similar. So on a pure DC server I've set it up to snapsnot it's disks everyhour. And then I get to chose which hour that I go back to and use as my recovered backup. After all it's the same tech that's used when you actually do a backup. No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting. Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. Oh and I realise that this is way far from perfect. Curious to know if anyone has done this or thought about it if nothing else. Paul. Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800 I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] AD Lag Sites
The MS paper illustrates a way to achieve this without the USN issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: 08 March 2006 13:30 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Lag Sites PAUL MAYES wrote: (...) No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting. Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. (...) You can't use images or snapshots as a backup\recovery solutions for DC because You are risking getting into USN roll-back problem. Search through ActivDir.org archives for USN roll-back and You will find good explanation of this problem. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Lag Sites
Tomasz Onyszko wrote: Sorry - I've messed up two different things :( please forget about this post. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Lag Sites
[EMAIL PROTECTED] wrote: The MS paper illustrates a way to achieve this without the USN issue. Yes, I'm aware of this. Sorry - I'm a bit overloaded and I've read this post only with one eye before replying. It wasn't my brightest post :( - and there is no re-call option :) -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Sites
Whoa, yep perhaps I didn't ramble enough!Simply, whoops I've lost something out of the directory. I need to get that stuff back. Where can i get the stuff back from:- tape - another DC - perhaps deleted object restoration by some other 3rd party or another custom written process, maybe, depends what's been lost (if known) or how much money the boss let me spend on buying products.Now depending on the stuff that's been lost you vary the approach, or at least it seems common sense to me not to go around doing funky things if someone's deleted one user, unless it's the bloke who runs the company!Then depending on what's happened you've got the next stress of where can I get the stuff back on to?Now when I chucked in that comment I wasn't advocating that as the universal solution for all DR problems. Blimey my job would be easy if that was the case. But if you're trying to answer the problem of 'where do I get the stuff back from?' then it's probably worth considering even if it's chucked straight out. And yes it does have it's bad points, but on the face it's the same bad points as going back to a tape. (Unless there is a difference that I'm missing?).Every solution has it's bad points, just thought it might be worth kicking around with for some scenarios. When I was looking at the timeline in the fast recovery paper it gave me an idea, so I drew out a timeline based on our organisation and then I could point at the line and stress in some situations. Now using disk snapshots meant that all of a sudden you could get some more points on that timeline, maybe some richer restore capability. As the white paper suggests, it gets you away from some limitations of tape. So all that I've done is draw up a timeline, think of the scenarios and plan what to do. And whilst I was at it give disk snapshotting some air time. As I stated earlier, we need to differentiate between object restores (via lag sites) and true DR (which the MS paper deals with). Restoring a user differs to the restoration of a DC, which differs again to the restoration of a domain and/or forest.Objects can be restored using 3rd party tools (which back up the database and all attributes regularly) and/or via lag sites. True DR needs (IMO) a separate physical location, separate physical machines along with DR processes and technologies.Requirements need to be gathered so that the optimal solution can be found.What are you trying to achieve?neilPS I tried to curb my habit of waffling :)
RE: [ActiveDir] AD Lag Sites
Title: Message Hi Paul, do you use the disk snapshots to provide the ability to restore an object or the whole DC (and therefore the whole Active Directory database), or both? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: 08 Mar 2006 13:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites /lurker Hi All, Forgive me a second whilst I ramble on 'cos thisIS going to be a ramble, then shoot me down in flames at the end! The problem with DR is getting the data from somewhere. Typically we go back to tape, which depending on when the last successful backup took place gives you a bit of a wide window to play with. Not good if you're going back some 24 hours/days etc... To get better coverage of times we kicked about with lag sites. Trouble is, and this has already been noted, replication and timings can scupper the intentions of lag sites and where do you stop. Is one enough, is one for every hour of the day enough? Microsoft released this white paper on fast recovery with AD using SAN's and disk imaging. http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx Now, I'm currently playing with using Microsoft's in-built disk snapshotting to provide something similar. So on a pure DC server I've set it up to snapsnot it's disks everyhour. And then I get to chose which hour that I go back to and use as my recovered backup. After all it's the same tech that's used when you actually do a backup. No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting. Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. Oh and I realise that this is way far from perfect. Curious to know if anyone has done this or thought about it if nothing else. Paul. Myrick, Todd \(NIH/CC/DNA\) [E]Mon, 06 Mar 2006 15:35:36 -0800 I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
RE: [ActiveDir] AD Lag Sites
What MS paper? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 08 Mar 2006 13:46 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites The MS paper illustrates a way to achieve this without the USN issue. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: 08 March 2006 13:30 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Lag Sites PAUL MAYES wrote: (...) No need for a lag site, just pick the hour on the timeline and restore from that DC. Ok so it means that you might need bigger disk and you can only snapshot down to 30mins. But if you're a bit creative with a few DC's then you can get much better coverage than lag sites without the need for more DC's or creative subnetting. Now I'm going to stand back and be shot down in flames. But thus far playing with VSS is kind of casting doubt on plans for one or multiple lag sites. I'm not going to bore with the how's and where's but it might stimulate some discussion. (...) You can't use images or snapshots as a backup\recovery solutions for DC because You are risking getting into USN roll-back problem. Search through ActivDir.org archives for USN roll-back and You will find good explanation of this problem. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Lag Sites
Wyatt, David wrote: What MS paper? http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6Bdisplaylang=en At the end of this document You will find information how to do this. As Jorge pointed today on our chat on IM this document is not addressing potential SYSVOL issue after such restore so BurFlags should come into play: http://support.microsoft.com/kb/290762 -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Lag Sites
I dont really look at problems from the Trying to Save Money Approach. I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineers so I want a solution that offers value to operators. The standard Free AD solution to restore objects has a lot of CLI, it doesnt restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a unnatural way, it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all objects and attributes, as well as groups and their memberships. I can restore these objects at the site the user resides, I dont have to reboot a DC to do this operation, and I free up the engineer to be an engineer not an operator. So my priorities are different than yours.. and so are my responsibilities. I dont have to save the company money. Notice I didnt say lag sites dont work, but the number of steps involved to do an authoritative restore compared to using a third-party product designed for the job and the possible end results are akin to shooting a bullet and throwing one. Yeah you probably hit the target both ways. But I think my way is more accurate, has better range, and gets the job done a lot faster and has the potential to be more effective with less skill. Todd Myrick From: Frank Abagnale [mailto:[EMAIL PROTECTED] Sent: Saturday, March 04, 2006 5:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites Todd, You mentioned 'potentially has the ability to create more problems' Could you outline the problemsthat are on your mind? I see Lag Sites as a solution to save the business money frompurchasing a solution, but I still need to think about business risk if such a solution was to be implemented. Frank Myrick, Todd (NIH/CC/DNA) [E] [EMAIL PROTECTED] wrote: Agreed. Not a big fan of the Lag-Site, I think it potentially has the ability to create more problems. At least MS added some limited functionality in 2003, now if they would just finish the job in Vista this topic might goto rest. (Are you there Stewart?) I do see value in Creative Subnetting, when it comes to establishing multiple sites on a physical network segment to get the KCC to replicate in a more deterministic manner. Fun to do in the classroom too when teaching subnetting. Todd Myrick From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site.. AD-Replication will do
RE: [ActiveDir] AD Lag Sites
He does NOT have to save the company money, he says. That's MY money you are talking about there, bucko! :) Seriously, Todd, you do have to understand that a vast majority of IT shops don't have budget for their IT folks to be as productive as they desire to be. This is why people tend to be as creative and conservative as possible. They want to stay as native as humanly possible and as painful as the exercise tend to be, they typically can't do anything about it. When management expects you to squeeze water out of rocks, you hardly have much options. The Lag Site concept is not a replacement for specialized recovery solutions. But, the concept came about as a result of people realizing that, much as they like the Quests and Netpros of this world, the steep price associated with them makes those products out of reach. If you've seen the California Cows commercials, you will begin to understand how much people salivate over professional tools. So, what's a poor admin to do? Especially when his/her CIO has just played golf with a buddy who has just read something from, say, Gartner, preaching the benefits of DR, and the CIO now wants DR implemented like, oh, say, one week ago without any additional funding? Lag Sites are NOT as expensive as any of the other options. Where budget constraint is a factor, the Lag Site concept is the next best thing for any AD Admin. The fact that it requires some expertise to successfully implement and utilize IS a big plus rather than a drawback. If you are going to administer any sizeable enterprise where DR is essential, you better start knowing something about the inner workings of the things you are claiming to be administering. Come to think of it, the vendors who market these specialized recovery tools are not engaged in voodoo. By learning how things work, you may not need to pay their protection money any longer. OK, now I've said too much ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CC/DNA) [E] Sent: Mon 3/6/2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I don't really look at problems from the Trying to Save Money Approach I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineer's so I want a solution that offers value to operators. The standard Free AD solution to restore objects has a lot of CLI, it doesn't restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a unnatural way, it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation... (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all objects and attributes, as well as groups and their memberships. I can restore these objects at the site the user resides, I don't have to reboot a DC to do this operation, and I free up the engineer to be an engineer not an operator. So my priorities are different than yours. and so are my responsibilities. I don't have to save the company money. Notice I didn't say lag sites don't work, but the number of steps involved to do an authoritative restore compared to using a third-party product designed for the job and the possible end results are akin to shooting a bullet and throwing one. Yeah you probably hit the target both ways But I think my way is more accurate, has better range, and gets the job done a lot faster and has the potential to be more effective with less skill. Todd Myrick From: Frank Abagnale [mailto:[EMAIL PROTECTED] Sent: Saturday, March 04, 2006 5:47 AM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] AD Lag Sites
I also said, I have to spend my time and money wisely. I am well aware of why people use lag-sites. They always like to throw the money issue around... but I wonder what the TCO is really. Maybe these major AD DR players should commission a study heck maybe MSFT should for both AD and Exchange Mailboxes. I think you would do better to encourage new Admins to make sure they do a MFT backup of a domain controllers system state each night, then stand-up more sites and servers. Then based on need select the restore method and evaluate the results. I agree knowing how all the inner workings does help as well, but operations people are usually not engineers, so it is best to give them tools that have some workflow, and makes the operation smooth and less error prone. Thanks again, Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Mon 3/6/2006 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites He does NOT have to save the company money, he says. That's MY money you are talking about there, bucko! :) Seriously, Todd, you do have to understand that a vast majority of IT shops don't have budget for their IT folks to be as productive as they desire to be. This is why people tend to be as creative and conservative as possible. They want to stay as native as humanly possible and as painful as the exercise tend to be, they typically can't do anything about it. When management expects you to squeeze water out of rocks, you hardly have much options. The Lag Site concept is not a replacement for specialized recovery solutions. But, the concept came about as a result of people realizing that, much as they like the Quests and Netpros of this world, the steep price associated with them makes those products out of reach. If you've seen the California Cows commercials, you will begin to understand how much people salivate over professional tools. So, what's a poor admin to do? Especially when his/her CIO has just played golf with a buddy who has just read something from, say, Gartner, preaching the benefits of DR, and the CIO now wants DR implemented like, oh, say, one week ago without any additional funding? Lag Sites are NOT as expensive as any of the other options. Where budget constraint is a factor, the Lag Site concept is the next best thing for any AD Admin. The fact that it requires some expertise to successfully implement and utilize IS a big plus rather than a drawback. If you are going to administer any sizeable enterprise where DR is essential, you better start knowing something about the inner workings of the things you are claiming to be administering. Come to think of it, the vendors who market these specialized recovery tools are not engaged in voodoo. By learning how things work, you may not need to pay their protection money any longer. OK, now I've said too much ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CC/DNA) [E] Sent: Mon 3/6/2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I don't really look at problems from the Trying to Save Money Approach I try to spend my money and use my time wisely. I base all my value judgments on the following factors. 1. Does it value people? 2. Is it priced acceptably? (I value dominate designs, but also feel that some innovative features are worth more if they offer added value) 3. Is the solution timely? 4. Does the solution offer reproducible results? AD lag site restores seem a little advanced for general operators to be able to perform. To me restore operations are an operator job not an engineer's so I want a solution that offers value to operators. The standard Free AD solution to restore objects has a lot of CLI, it doesn't restore all the attributes, it takes more time to implement, it requires a DC be rebooted, it lacks the ability to restore single attributes, and groups. The lag site approach seems okay initially, but it requires more dedicated hardware that has to be maintained, it complicates the AD design in a unnatural way, it requires knowledge of the AD site architecture to properly implement (You have to force replication to the rest of the forest) and takes longer to implement a restore operation... (The use might be out in china, where your lag site might be in the UK). For me I wanted the ability to quickly restore objects using a turnkey solution that I can delegate to trusted operators to perform. A dedicated person to do this task would cost about 30 to 40K per year. My base thinking is that would work between 10K to 20K up front, and about 3 to 5% overhead each additional year. I gain the ability to restore all
RE: [ActiveDir] AD Lag Sites
I amtrying to design a full DR solution,but as Ihave never done one, I am sort of trying to compile a list of things which occur or I need to deal with on a daily basis and documenting a procedure for them.So far I have looked atprocesses for schema modification, I am now working on recovery of deleted objects via a lag site, I have budget to buy a quest or netpro solution but I would rather spend the budget on areas which can assist business growth.I don't feel out of place with ntdsutil, hence my research into lag sites.frank[EMAIL PROTECTED] wrote: Ideally, you would place the DR DCs in a separate DR location (for obvious reasons)which would have its own set of subnets assigned. This approach caters for true DR as well as object recovery from a lag site.If not possible, then Jorge's approach will work (although true DR is not catered for IMO).Are you trying to design for full DR or just recovery of objects via a lag site (or both)?neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: 03 March 2006 15:29To: ActiveSubject: [ActiveDir] AD Lag SitesSingle Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to followthanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses! PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
RE: [ActiveDir] AD Lag Sites
Todd,You mentioned 'potentially has the ability to create more problems'Could you outline the problemsthat are on your mind? I see Lag Sites as a solution to save the business money frompurchasing a solution, but I still need to think about business risk if such a solution was to be implemented. Frank"Myrick, Todd (NIH/CC/DNA) [E]" [EMAIL PROTECTED] wrote:Agreed.Not a big fan of the Lag-Site, I think it potentially has the ability to create more problems. At least MS added some limited functionality in 2003, now if they would just finish the job in Vista this topic might goto rest. (Are you there Stewart?) I do see value in Creative Subnetting, when it comes to establishing multiple sites on a physical network segment to get the KCC to replicate in a more deterministic manner. Fun to do in the classroom too when teaching subnetting.Todd MyrickFrom: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, March 03, 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site.. AD-Replication will do what you wanted it to do, even without the need for routing.However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion.What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-WeidnerMVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag SitesSingle Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to followthanks frankRelax. Yahoo! Mail virus scanning helps detect nasty viruses! Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail.
RE: [ActiveDir] AD Lag Sites
Guido, this is really useful information.I have a single domain forest so I feel comfortable with the Lag Site idea.With multi domain forest, I would assume the addtional cost in maintainingthis environmentwouldjustify the cost of purchasing a recovery solution.Your point about Forced Replication is an interesting thought, I didn't realise the lag site would not be protected. I would need to put this as a potential risk.If this is the case, my question to others who have implemented Lag Sites ishow do you handle protecting the lag site from forced replication from other admins?"Grillenmeier, Guido" [EMAIL PROTECTED] wrote: an important factor is missing in this discussion - theoportunity and costs forleveraging lagsites highly depends on your forest structure. Even though you can use virtualization to reduce the number of physical boxes required to host a DC in a lagsite, you still need to host at least one per domain. As was pointed out before, if your goal was to recover from accidental deletions it certainly makes even more sense if you use two per domain with overlapping schedules in different sites, so that you'd theoretically always have a window of opportunity to recover the data from a lagsite even if the changes (such as deletion of objects) has just been replicated into one of the lagsites.the number of domains in your forest will not only increase the number of (physical or virtual) DCs you need to host in your lagsite(s), but as soon as you have more than one domain, the work to be done to recover the objects and it's complexity increases dramatically due to the cross-domain dependencies. You typically have to perform restore activities on a DC from every domain (think "recovery of a user's group-membership" [1]). So what's often fairly feasable for performing restores a single domain forest, can become quite a pain point for multi-domain forests. In the end the full recovery of an object involves so much work, that you'd rather not do it if "just a simple user" is accidentally deleted.VIP users may be an exception and so will the deletion of a whole OU. This is where I'd say online recovery tools (such as those offered by NetPro and Quest) make a big difference - these will take care of restoring the objects in a domain incl. the necessary cross-domain data and you wouldn't hesitate to use them even for the least important user or group or many other objects.realize that no matter how many domains you have, a lagsite can only protect you "so much" from accidental deletion. It doesn't offer full protection from replicating unwanted changes into the lagsite - forced replication doesn't care about a lagsite's schedule or about a disabled connection object = you can still force bad changes into a lagsite anytime, if the DCs are running and available on the NW. So you'd only gain real protection by isolating the lagsite DCs from the NW (either done physically or via some timed script that enables/disables the NIC). this is not to say that I think lagsites (and specifically running DCs in VMs in lagsites) shouldn't be used at all - you should just realize that they may not be able to help for all DR occasions. They are sill a helpful tool to ensure a fast recovery from other failures, such as site-failuresor potentially domain or forest failures (for single domain forests even for object recovery). For multi-domain forests, they could well be a part of your overall DR plan - but I also highly recommend checking out the online recovery tools for those object (or attribute) recovery situations, that potentially happen more often./Guido [1] if you're unaware of the issues with restoring group memberships in multi-domain environments have a look at the following whitepaper:http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Freitag, 3. März 2006 20:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag SitesI think you're trying to compare apples and oranges. Yes, both solutions can help reduce the time it takes to perform a restore (give a specific scenario), but that's basically it. Lag sites are single snapshots based on the number of lag sites you deploy. The products you mention below are true backup solutions that you could, if you wanted to, perform hourly, daily, weekly, etcbackups, all of which can be restored as needed. They also typically allow attribute level restores.So if lag sites are N dollars and the software is Y dollars it doesn't really say much. You need to evaluate your own restore requirements and budget to determine what's best. It's my opinion most customers don't need lag sites and that it's a distraction from the normal backup processes they're probably failing to properly implement. But that's just me.From: [EMAIL PROTECTED] [mailto:[EMAIL PROT
RE: [ActiveDir] AD Lag Sites
Frank - I'd also be interested to hear how others protect themselves from forced replication in a lagsite - I'm sure most aren't aware it's a potential riskin the first place. As mentioned below, an option would be to automatically enable and disable the NIC of the respective lagsite DC inline with its scheduled replication window. If running as VMs you could also configure them to boot and shutdown automatically according to the schedule (I'm not a friend of "suspending" production DCs). I'd probably still preferr just disabling the NICs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Samstag, 4. März 2006 12:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites Guido, this is really useful information. I have a single domain forest so I feel comfortable with the Lag Site idea.With multi domain forest, I would assume the addtional cost in maintainingthis environmentwouldjustify the cost of purchasing a recovery solution. Your point about Forced Replication is an interesting thought, I didn't realise the lag site would not be protected. I would need to put this as a potential risk. If this is the case, my question to others who have implemented Lag Sites ishow do you handle protecting the lag site from forced replication from other admins?"Grillenmeier, Guido" [EMAIL PROTECTED] wrote: an important factor is missing in this discussion - theoportunity and costs forleveraging lagsites highly depends on your forest structure. Even though you can use virtualization to reduce the number of physical boxes required to host a DC in a lagsite, you still need to host at least one per domain. As was pointed out before, if your goal was to recover from accidental deletions it certainly makes even more sense if you use two per domain with overlapping schedules in different sites, so that you'd theoretically always have a window of opportunity to recover the data from a lagsite even if the changes (such as deletion of objects) has just been replicated into one of the lagsites. the number of domains in your forest will not only increase the number of (physical or virtual) DCs you need to host in your lagsite(s), but as soon as you have more than one domain, the work to be done to recover the objects and it's complexity increases dramatically due to the cross-domain dependencies. You typically have to perform restore activities on a DC from every domain (think "recovery of a user's group-membership" [1]). So what's often fairly feasable for performing restores a single domain forest, can become quite a pain point for multi-domain forests. In the end the full recovery of an object involves so much work, that you'd rather not do it if "just a simple user" is accidentally deleted.VIP users may be an exception and so will the deletion of a whole OU. This is where I'd say online recovery tools (such as those offered by NetPro and Quest) make a big difference - these will take care of restoring the objects in a domain incl. the necessary cross-domain data and you wouldn't hesitate to use them even for the least important user or group or many other objects. realize that no matter how many domains you have, a lagsite can only protect you "so much" from accidental deletion. It doesn't offer full protection from replicating unwanted changes into the lagsite - forced replication doesn't care about a lagsite's schedule or about a disabled connection object = you can still force bad changes into a lagsite anytime, if the DCs are running and available on the NW. So you'd only gain real protection by isolating the lagsite DCs from the NW (either done physically or via so me timed script that enables/disables the NIC). this is not to say that I think lagsites (and specifically running DCs in VMs in lagsites) shouldn't be used at all - you should just realize that they may not be able to help for all DR occasions. They are sill a helpful tool to ensure a fast recovery from other failures, such as site-failuresor potentially domain or forest failures (for single domain forests even for object recovery). For multi-domain forests, they could well be a part of your overall DR plan - but I also highly recommend checking out the online recovery tools for those object (or attribute) recovery situations, that potentially happen more often. /Guido [1] if you're unaware of the issues with restoring group memberships in multi-domain environments have a look at the following whitepaper: http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Freitag, 3. März 2006 20:47To: ActiveDir@mail.activedir.orgSubject: R
Re: [ActiveDir] AD Lag Sites
On 3/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: When talking about a software solution to restore deleted objects I know about: Netpro's RestoreADmin Quest's Recovery Manage for AD I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution. I asked my Quest account manager for Quest Recovery Manager the other day, and she said the price is $10.00 per node. The price is flat regardless how many nodes you have. The thing vary is of course the discount. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Lag Sites
I meant the number of users in the AD. Sorry for the confusion. On 3/4/06, Irwan Hadi [EMAIL PROTECTED] wrote: On 3/3/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: When talking about a software solution to restore deleted objects I know about: Netpro's RestoreADmin Quest's Recovery Manage for AD I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution. I asked my Quest account manager for Quest Recovery Manager the other day, and she said the price is $10.00 per node. The price is flat regardless how many nodes you have. The thing vary is of course the discount. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this?All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to followthanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
well yes OR create subnet definitions of the IP addresses of the DCs... Lets say you have 2 DCs in the lag site and 4 in the "normal" site: DC01: 10.1.1.1/24 DC02: 10.1.1.2/24 DC03: 10.1.1.3/24 DC04: 10.1.1.4/24 DC05: 10.1.1.5/24 DC06: 10.1.1.6/24 For the DCs in the normal site you create the subnet: 10.1.1.0/24 and assign it to that normal site For the DCs in thelag site you create the "subnets": 10.1.1.1/32 10.1.1.2/32and assign it to that lag site jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 16:29To: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
Here's a good explanation of the setup. http://www.windowsitpro.com/Windows/Articles/ArticleID/42932/pg/1/1.html You are required to some how isolate the delayed servers in a unique site to control the replication window. The subnet scope can be as narrow astheip address of the DC. The last setup I used was 2 delayed DCs running on Virtual Server, each with a 7 day replication lag. This allowed us to restore object deleted up to 14 days ago. John Roberts JLR Technology Solutions From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 10:29 AMTo: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
Ideally, you would place the DR DCs in a separate DR location (for obvious reasons)which would have its own set of subnets assigned. This approach caters for true DR as well as object recovery from a lag site. If not possible, then Jorge's approach will work (although true DR is not catered for IMO). Are you trying to design for full DR or just recovery of objects via a lag site (or both)? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: 03 March 2006 15:29To: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD Lag Sites
7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes?jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, March 03, 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
Pizza boxes are available from Dell for like under 2 grand rack rate most days, so thats probably questionable. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, March 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, March 03, 2006 4:29 PM To: Active Subject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
You can also just define /32 aka host subnets. So you create Lag Site 1, and subnet 10.1.2.3 255.255.255.255 (the IP of your lag dc). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 10:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, March 03, 2006 4:29 PM To: Active Subject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
I think Rick Kingslan did something like this with virtual machines. I'll ping him to see if he has any comment. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Saturday, 4 March 2006 5:17 a.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes?jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, March 03, 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
When talking about a software solution to restore deleted objects I know about: Netpro's RestoreADmin Quest's Recovery Manage for AD I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution. And for a hardware solution you can use: * just hardware, where you need at least 1 DC per domain in the lag site (for each day of the week that would be 7 DCs per domain) (not forgetting licensing for the server OS) * hardware combined with software (e.g. ESX/GSX or virtual server) (not forgetting licensing for the server OS and the the virtual solution) I'm very interested in hearing what folks have chosen and how much it costs and of course why that particular solution. Of course don't forget to mention the type of environment and size but let's start by pinging Rick... ping rick.kingslan.microsoft ;-) jorge From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Fri 2006-03-03 19:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I think Rick Kingslan did something like this with virtual machines. I'll ping him to see if he has any comment. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, 4 March 2006 5:17 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate every thursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD in the one of the Lag-Site. And I've even heard from someone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org http://www.windowsserverfaq.org/ Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, March 03, 2006 4:29 PM To: Active Subject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just
RE: [ActiveDir] AD Lag Sites
I think you're trying to compare apples and oranges. Yes, both solutions can help reduce the time it takes to perform a restore (give a specific scenario), but that's basically it. Lag sites are single snapshots based on the number of lag sites you deploy. The products you mention below are true backup solutions that you could, if you wanted to, perform hourly, daily, weekly, etc backups, all of which can be restored as needed. They also typically allow attribute level restores. So if lag sites are N dollars and the software is Y dollars it doesn't really say much. You need to evaluate your own restore requirements and budget to determine what's best. It's my opinion most customers don't need lag sites and that it's a distraction from the normal backup processes they're probably failing to properly implement. But that's just me. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, March 03, 2006 1:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites When talking about a software solution to restore deleted objects I know about: Netpro's RestoreADmin Quest's Recovery Manage for AD I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution. And for a hardware solution you can use: * just hardware, where you need at least 1 DC per domain in the lag site (for each day of the week that would be 7 DCs per domain) (not forgetting licensing for the server OS) * hardware combined with software (e.g. ESX/GSX or virtual server) (not forgetting licensing for the server OS and the the virtual solution) I'm very interested in hearing what folks have chosen and how much it costs and of course why that particular solution. Of course don't forget to mention the type of environment and size but let's start by pinging Rick... ping rick.kingslan.microsoft ;-) jorge _ From: [EMAIL PROTECTED] on behalf of Tony Murray Sent: Fri 2006-03-03 19:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites I think Rick Kingslan did something like this with virtual machines. I'll ping him to see if he has any comment. Tony _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, 4 March 2006 5:17 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate every thursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD in the one of the Lag-Site. And I've even heard from someone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org
RE: [ActiveDir] AD Lag Sites
Think virtualisation - where I've implemented lag-sites they are running on VMs. The software-solutions I was looking at at this point were way more expensive than running 4 DCs virtualized on the same machine (1 root-dc and one account-dc per lag-site). I do not agree that lag-sites need to run in a physical separate site. I do agree that you want two datacenters which are physically separate, however if one DC burns down you usually do not need lag-sites (the AD-Info is still in the other datacenter or in a branch), if all datacenter plus branches are burned down you don't need a lag-site - you need a working backup which isn't burned. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Friday, March 03, 2006 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes?jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, March 03, 2006 16:59To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, March 03, 2006 4:29 PMTo: ActiveSubject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
Agreed. Not a big fan of the Lag-Site, I think it potentially has the ability to create more problems. At least MS added some limited functionality in 2003, now if they would just finish the job in Vista this topic might goto rest. (Are you there Stewart?) I do see value in Creative Subnetting, when it comes to establishing multiple sites on a physical network segment to get the KCC to replicate in a more deterministic manner. Fun to do in the classroom too when teaching subnetting. Todd Myrick From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, March 03, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites 7 lag sites? holy sh*t! would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes? jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Friday, March 03, 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Lag Sites As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same virtual subnet 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing. However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate everythursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion. What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD intheone of theLag-Site. And I've even heard fromsomeone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-) Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Friday, March 03, 2006 4:29 PM To: Active Subject: [ActiveDir] AD Lag Sites Single Forest, Single Domain, W2K3 FFL I am thinking about setting up a lag site for DR purposes. Just for clarification purposes, would I need a separate IP subnet i.eIP subnetthat isn't assigned to any other site in ADto create this? All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes. Does anyone have any recommended guides to follow thanks frank Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
RE: [ActiveDir] AD Lag Sites
an important factor is missing in this discussion - theoportunity and costs forleveraging lagsites highly depends on your forest structure. Even though you can use virtualization to reduce the number of physical boxes required to host a DC in a lagsite, you still need to host at least one per domain. As was pointed out before, if your goal was to recover from accidental deletions it certainly makes even more sense if you use two per domain with overlapping schedules in different sites, so that you'd theoretically always have a window of opportunity to recover the data from a lagsite even if the changes (such as deletion of objects) has just been replicated into one of the lagsites. the number of domains in your forest will not only increase the number of (physical or virtual) DCs you need to host in your lagsite(s), but as soon as you have more than one domain, the work to be done to recover the objects and it's complexity increases dramatically due to the cross-domain dependencies. You typically have to perform restore activities on a DC from every domain (think "recovery of a user's group-membership" [1]). So what's often fairly feasable for performing restores a single domain forest, can become quite a pain point for multi-domain forests. In the end the full recovery of an object involves so much work, that you'd rather not do it if "just a simple user" is accidentally deleted.VIP users may be an exception and so will the deletion of a whole OU. This is where I'd say online recovery tools (such as those offered by NetPro and Quest) make a big difference - these will take care of restoring the objects in a domain incl. the necessary cross-domain data and you wouldn't hesitate to use them even for the least important user or group or many other objects. realize that no matter how many domains you have, a lagsite can only protect you "so much" from accidental deletion. It doesn't offer full protection from replicating unwanted changes into the lagsite - forced replication doesn't care about a lagsite's schedule or about a disabled connection object = you can still force bad changes into a lagsite anytime, if the DCs are running and available on the NW. So you'd only gain real protection by isolating the lagsite DCs from the NW (either done physically or via some timed script that enables/disables the NIC). this is not to say that I think lagsites (and specifically running DCs in VMs in lagsites) shouldn't be used at all - you should just realize that they may not be able to help for all DR occasions. They are sill a helpful tool to ensure a fast recovery from other failures, such as site-failuresor potentially domain or forest failures (for single domain forests even for object recovery). For multi-domain forests, they could well be a part of your overall DR plan - but I also highly recommend checking out the online recovery tools for those object (or attribute) recovery situations, that potentially happen more often. /Guido [1] if you're unaware of the issues with restoring group memberships in multi-domain environments have a look at the following whitepaper: http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David AdnerSent: Freitag, 3. März 2006 20:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites I think you're trying to compare apples and oranges. Yes, both solutions can help reduce the time it takes to perform a restore (give a specific scenario), but that's basically it. Lag sites are single snapshots based on the number of lag sites you deploy. The products you mention below are true backup solutions that you could, if you wanted to, perform hourly, daily, weekly, etcbackups, all of which can be restored as needed. They also typically allow attribute level restores. So if lag sites are N dollars and the software is Y dollars it doesn't really say much. You need to evaluate your own restore requirements and budget to determine what's best. It's my opinion most customers don't need lag sites and that it's a distraction from the normal backup processes they're probably failing to properly implement. But that's just me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Friday, March 03, 2006 1:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Lag Sites When talking about "a software solution to restore deleted objects" I know about: Netpro's RestoreADmin Quest's Recovery Manage for AD I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution. And for a hardware solution you can use: * just hardware, where you need at