RE: [ActiveDir] Disaster Recovery
Yeah absolutely. Right along with this is understanding how LONG it takes you to do it once you start which you get when you test and test often. That helps you decide at what point you need to have something fixed, start recovering, or realizing that you are now stomping on borrowed time that could be better used for recovery. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, March 21, 2006 9:44 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Disaster Recovery One additional comment that seems to have been missed, is that, like previously mentioned, you should carefully consider practicing your restores for the situations you've defined as warranting a disaster recovery. All of the other information about how to do it etc are great, but there's no substitute for doing it and making sure you have ALL of the components to put the environment back togehter. One fun example that illustrates this for me, should I forget for some strange reason, is a company that wanted to implement DR for a situation they were faced with. They never practiced and when it came time they drug out the other hardware, setup a hub for it (they didn't have a switch like in production - hint) and gathered the latest backup from the off-site storage facility (somebody's closet is my guess, but I digress). They put the DC back, then their email and everything seemed to work. Hooray, they were ready for business. Sure there were some issues along the way such as getting power, environmentals, network, hardware, etc. But through heroic efforts that was overcome and they managed to recover AD and Email. As they watched the counters, somebody asked, "how come there's no email coming in and why isn't anybody using it?" Answer? 1) Because nobody thought about WAN or ISP connectivity implications and 2) because the users had no equipment and no way to access this newly restored server. Moral? Practice well what you intend to do well and make sure your practice mimicks a real scenario so you can work out such kinks before it's critical. -ajm On 3/21/06, joe [EMAIL PROTECTED] wrote: One thing you should try to shoot for is to be geographically disperse if possible. The more critical AD is to you the more critical it is to have that in place because cold restore of an entire forest is not something any but the seriously demented AD Admins are looking to to do. Even if this is a simple laptop running a DC that you allow to replicate once a week and then take home it is better than nothing. Just be careful with physical security of that machine. Virtualization is definitely a possible answer but make sure as Hunter indicated that you really understand the implications for rollback. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
RE: [ActiveDir] Disaster Recovery
I do a backup of the C: drive and system state using NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and system state) using Legato Networker. Why the NTBACKUP? Just in case... I've done a couple of hotsite test recoveries of our DCs (HP DL380G2) to various other HP server models, and even to Dells. I've never had a major problem doing this with server 2003 (windows 2000, on the other hand, seemed to always give me grief). I have toyed with the idea of having a couple of DCs running on virtual servers. I'd create a perl script to nightly shut down the DCs, copy thevirtual diskfiles, then bring the DCs back up. I want to do this not so much for the hardware independence, but rather for the speed of recovery. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
RE: [ActiveDir] Disaster Recovery
Using virtual disk file backups or images for AD disaster recovery has USN-rollback perils that have been discussed several times here. It's worth a visit to the archives to check those out before staking your disaster recovery abilities on this strategy. On the other hand, using AD-aware backups in conjunction with virtual servers *does* greatly simplify the hardware issues during a restore, and may be worth considering for that benefit alone. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Tuesday, March 21, 2006 9:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disaster Recovery I do a backup of the C: drive and system state using NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and system state) using Legato Networker. Why the NTBACKUP? Just in case... I've done a couple of hotsite test recoveries of our DCs (HP DL380G2) to various other HP server models, and even to Dells. I've never had a major problem doing this with server 2003 (windows 2000, on the other hand, seemed to always give me grief). I have toyed with the idea of having a couple of DCs running on virtual servers. I'd create a perl script to nightly shut down the DCs, copy thevirtual diskfiles, then bring the DCs back up. I want to do this not so much for the hardware independence, but rather for the speed of recovery. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
RE: [ActiveDir] Disaster Recovery
One thing you should try to shoot for is to be geographically disperse if possible. The more critical AD is to you the more critical it is to have that in place because cold restore of an entire forest is not something any but the seriously demented AD Admins are looking to to do. Even if this is a simple laptop running a DC that you allow to replicate once a week and then take home it is better than nothing. Just be careful with physical security of that machine. Virtualization is definitely a possible answer but make sure as Hunter indicated that you really understand the implications for rollback. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
Re: [ActiveDir] Disaster Recovery
One additional comment that seems to have been missed, is that, like previously mentioned, you should carefully consider practicing your restores for the situations you've defined as warranting a disaster recovery. All of the other information about how to do it etc are great, but there's no substitute for doing it and making sure you have ALL of the components to put the environment back togehter. One fun example that illustrates this for me, should I forget for some strange reason, is a company that wanted to implement DR for a situation they were faced with. They never practiced and when it came time they drug out the other hardware, setup a hub for it (they didn't have a switch like in production - hint) and gathered the latest backup from the off-site storage facility (somebody's closet is my guess, but I digress). They put the DC back, then their email and everything seemed to work. Hooray, they were ready for business. Sure there were some issues along the way such as getting power, environmentals, network, hardware, etc. But through heroic efforts that was overcome and they managed to recover AD and Email. As they watched the counters, somebody asked, how come there's no email coming in and why isn't anybody using it? Answer? 1) Because nobody thought about WAN or ISP connectivity implications and 2) because the users had no equipment and no way to access this newly restored server. Moral? Practice well what you intend to do well and make sure your practice mimicks a real scenario so you can work out such kinks before it's critical. -ajm On 3/21/06, joe [EMAIL PROTECTED] wrote: One thing you should try to shoot for is to be geographically disperse if possible. The more critical AD is to you the more critical it is to have that in place because cold restore of an entire forest is not something any but the seriously demented AD Admins are looking to to do. Even if this is a simple laptop running a DC that you allow to replicate once a week and then take home it is better than nothing. Just be careful with physical security of that machine. Virtualization is definitely a possible answer but make sure as Hunter indicated that you really understand the implications for rollback. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery Hello there, I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest. An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this. The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location, That way it's not hardware dependant and just need to do a metadata cleanup what do you all do? amy Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now
RE: [ActiveDir] Disaster Recovery Training
Just been to their expanding directory boundaries seminar and can confirm that she does indeed have legs :) :) :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 25 July 2005 20:40 To: ActiveDir.org Subject: Re: [ActiveDir] Disaster Recovery Training John and Sally are two of the best communicators in the business, I am looking forward to pre-conference presentation at Novembers IT Forum. I wonder if this year we will confirm if Sally has legs as in all the presentations, I have ever been to all I see is her head and torso behind her demo boxes. As for the DR, I will explore this option. Many thanks, Mark -Original Message- From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Mon, 25 Jul 2005 17:00:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disaster Recovery Training thanks for the advertising Jorge - and I didn't even promise you any goodies :-) Mark, you might also want to have a look at John Craddock and Sally Storey's offering for a 1 day 400-level AD Disaster Recovery seminar: http://www.kimberry.co.uk/dotnetlectures/addr.aspx John and Sally are well known from various MS events (TechEd, ITforum etc) and offer these courses to everyone. While I'm sure they're not cheap, they're definitely worth the money - edjucational and entertaining at the same time. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Montag, 25. Juli 2005 15:34 To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Disaster Recovery Training also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Training
Whilst not independent, I know Quest offer something along these lines. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 25 July 2005 13:35 To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Training
also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Training
thanks for the advertising Jorge - and I didn't even promise you any goodies :-) Mark, you might also want to have a look at John Craddock and Sally Storey's offering for a 1 day 400-level AD Disaster Recovery seminar: http://www.kimberry.co.uk/dotnetlectures/addr.aspx John and Sally are well known from various MS events (TechEd, ITforum etc) and offer these courses to everyone. While I'm sure they're not cheap, they're definitely worth the money - edjucational and entertaining at the same time. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Montag, 25. Juli 2005 15:34 To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Disaster Recovery Training also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Disaster Recovery Training
John and Sally are two of the best communicators in the business, I am looking forward to pre-conference presentation at Novembers IT Forum. I wonder if this year we will confirm if Sally has legs as in all the presentations, I have ever been to all I see is her head and torso behind her demo boxes. As for the DR, I will explore this option. Many thanks, Mark -Original Message- From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Mon, 25 Jul 2005 17:00:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disaster Recovery Training thanks for the advertising Jorge - and I didn't even promise you any goodies :-) Mark, you might also want to have a look at John Craddock and Sally Storey's offering for a 1 day 400-level AD Disaster Recovery seminar: http://www.kimberry.co.uk/dotnetlectures/addr.aspx John and Sally are well known from various MS events (TechEd, ITforum etc) and offer these courses to everyone. While I'm sure they're not cheap, they're definitely worth the money - edjucational and entertaining at the same time. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Montag, 25. Juli 2005 15:34 To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Disaster Recovery Training also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Disaster Recovery Training
The MS courses you mention are often available to Partners as well (not just customers with premier contracts) so you might want to check into that if you are working for an MS Partner. That NetPro webinar looks good though, I'd definitely attend that. Phil On 7/25/05, Mark Parris [EMAIL PROTECTED] wrote: John and Sally are two of the best communicators in the business, I am looking forward to pre-conference presentation at Novembers IT Forum. I wonder if this year we will confirm if Sally has legs as in all the presentations, I have ever been to all I see is her head and torso behind her demo boxes. As for the DR, I will explore this option. Many thanks, Mark -Original Message- From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Mon, 25 Jul 2005 17:00:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disaster Recovery Training thanks for the advertising Jorge - and I didn't even promise you any goodies :-) Mark, you might also want to have a look at John Craddock and Sally Storey's offering for a 1 day 400-level AD Disaster Recovery seminar: http://www.kimberry.co.uk/dotnetlectures/addr.aspx John and Sally are well known from various MS events (TechEd, ITforum etc) and offer these courses to everyone. While I'm sure they're not cheap, they're definitely worth the money - edjucational and entertaining at the same time. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Montag, 25. Juli 2005 15:34 To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Disaster Recovery Training also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Training
I work independently, and where I used to work at a large bank, I am now consulting for multiple organisations, so I have neither access to a premier support contract or any Microsoft partner resources. So I have to scavenge courses where I can; I am always looking for the best deals that money can buy. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 25 July 2005 20:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Disaster Recovery Training The MS courses you mention are often available to Partners as well (not just customers with premier contracts) so you might want to check into that if you are working for an MS Partner. That NetPro webinar looks good though, I'd definitely attend that. Phil On 7/25/05, Mark Parris [EMAIL PROTECTED] wrote: John and Sally are two of the best communicators in the business, I am looking forward to pre-conference presentation at Novembers IT Forum. I wonder if this year we will confirm if Sally has legs as in all the presentations, I have ever been to all I see is her head and torso behind her demo boxes. As for the DR, I will explore this option. Many thanks, Mark -Original Message- From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Mon, 25 Jul 2005 17:00:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disaster Recovery Training thanks for the advertising Jorge - and I didn't even promise you any goodies :-) Mark, you might also want to have a look at John Craddock and Sally Storey's offering for a 1 day 400-level AD Disaster Recovery seminar: http://www.kimberry.co.uk/dotnetlectures/addr.aspx John and Sally are well known from various MS events (TechEd, ITforum etc) and offer these courses to everyone. While I'm sure they're not cheap, they're definitely worth the money - edjucational and entertaining at the same time. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Montag, 25. Juli 2005 15:34 To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Disaster Recovery Training also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org
RE: [ActiveDir] Disaster Recovery Training
Hi Mark, MSEtechnology offer's a number of AD classes, some of which were formerly MS internal-only and most of which incorporate extensive DR content. I'm uncertain as to your requirements or your preferred delivery logistics. Feel free to contact me off-list if you'd like further information, our web site provides an outline of one such class. Regards. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, July 25, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disaster Recovery Training I work independently, and where I used to work at a large bank, I am now consulting for multiple organisations, so I have neither access to a premier support contract or any Microsoft partner resources. So I have to scavenge courses where I can; I am always looking for the best deals that money can buy. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 25 July 2005 20:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Disaster Recovery Training The MS courses you mention are often available to Partners as well (not just customers with premier contracts) so you might want to check into that if you are working for an MS Partner. That NetPro webinar looks good though, I'd definitely attend that. Phil On 7/25/05, Mark Parris [EMAIL PROTECTED] wrote: John and Sally are two of the best communicators in the business, I am looking forward to pre-conference presentation at Novembers IT Forum. I wonder if this year we will confirm if Sally has legs as in all the presentations, I have ever been to all I see is her head and torso behind her demo boxes. As for the DR, I will explore this option. Many thanks, Mark -Original Message- From: Grillenmeier, Guido [EMAIL PROTECTED] Date: Mon, 25 Jul 2005 17:00:28 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disaster Recovery Training thanks for the advertising Jorge - and I didn't even promise you any goodies :-) Mark, you might also want to have a look at John Craddock and Sally Storey's offering for a 1 day 400-level AD Disaster Recovery seminar: http://www.kimberry.co.uk/dotnetlectures/addr.aspx John and Sally are well known from various MS events (TechEd, ITforum etc) and offer these courses to everyone. While I'm sure they're not cheap, they're definitely worth the money - edjucational and entertaining at the same time. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Montag, 25. Juli 2005 15:34 To: ActiveDir@mail.activedir.org; ActiveDir.org Subject: RE: [ActiveDir] Disaster Recovery Training also take a look at: Active Directory Disaster Recovery http://www.netpro.com/events/adrecovery/index.cfm NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft Services at Hewlett Packard, as they discuss real-life disaster scenarios and share tips and techniques to help ensure that your business stays profitable in the midst of directory disruptions. Learn first-hand how to recognize and prevent possible disaster scenarios before they even occur. Discover new tools and techniques that help recover deleted objects while keeping your users online. Master such difficult tasks as group membership, security descriptor. and password recovery. And learn how to prevent disasters through proactive directory health management. Plus, Gil and Guido will be taking live questions from audience members to help you solve your own personal directory issues. Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Mon 7/25/2005 2:34 PM To: ActiveDir.org Subject: [ActiveDir] Disaster Recovery Training All, Does anyone know of a training provider that provides dedicated Active Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these are closed courses for corporate customers who have a premier support contract. Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] disaster recovery
Title: [ActiveDir] disaster recovery Excellent post. I just wanted to jump in and reemphasize that point. Restoring a single domain of a forest in an isolated environment and expecting it to work is unrealistic. I agree with Guido in that you never should have been given admin rights into a domain of someone else's forest. You should have had OU privileges or just had your own forest entirely. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 25, 2004 2:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. That's not how AD is supposed to be - that's merely how you'd like to use it. Not necessarily the same. I agree that some companies may implement it this way especially in the early days of AD, but not after they understood that not the domain, but the forest is the security boundary. If you have no good working relationship with your mother corp and they're not really too fond of you either, they should have never offered you your own domain. You would have been a perfect candidate for a separate forest. However, if they still wanted to fully integrate you into their forest without trusting you to perform service-level operations (i.e. task that require domain admin privileges), they would have merely required to grant you management of one or a few OUs. If you like it or not, recovery of AD - in case of the disaster you describe, or in other disasters that go more towards deletion of objects - is an forest level task that usually requires enterprise admin privileges. I am not saying, that I don't think it would be nice if this wasn't the case, but once you learn to treat a domain as an integral part of a forest that should not be managed by a separate team of administrators, it doesn't make a difference. /Guido From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Donnerstag, 25. Mrz 2004 18:56To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery going to AD was something decided by the higher ups to merge my corp and our sister corp into a smealess whole. The sister corp already had AD in place and they own the root. our IT depts. don't exactly communicate or relate to each other very well :) i'm sure its like that in alot of places. before comming here, I was in a Netware 6.0 enviorment and feel that directory is much more mature in terms of configurabilty and satisfying all the business needs that AD does. i exagerrated when i said i would move from AD to NDS. its just that when my corp wants to do DR testing for our domain and we go away to the dr site and want to recreate most of our infrastructure from back up, etc, its fursttrating to have to go to our sister corp IT dept and ask them for the Domain admin or enterpris admin password or a copy of thier root role holding master dc on a laptop or vmware just to practise recovery of our domain and exchange2k. it seems MS made it so you can't recover a child domain without connectivity to the root. that kinda stinks. i can understand losing some functionality but still be up and running. however to make it impossible to get up at all without the root fsmo dc is I think something that needs to be addressed. in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and want to recover them OR you lost the entire forest. they really don't address losing a child domain. Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. If one corp goes down, in MS's implementation, this corp has to get in touch with the IT dept of the root, be allowed high access to the forest OR have someone from that other IT dept free enough to come down for security reasons and log in himself as enterprise admin. also some physical connectivity is implied... All in the middel of a disaster OR just to test and practice for said disaster. thats asking for alot of any large company. MS should know how unrealistic this is more than anyone. my pointless two cents. thanks for reading and replying before -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 3/25/2004 10:20 AM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] disaster recovery Just out of curiousity, why did you deploy a forest root structure? Why didn't you go with a single domain structure? Otherwise, Who manages the schema without the root? Who manages the domain naming master in your environment (both
RE: [ActiveDir] disaster recovery
Guido and Joe, First of all, thank you for all your advice and help. You guys are absolutely right, we should have never gotten a domain if they didn't trust us with Enterprise admin rights over the forest. I assume they can't shake the Win NT view of domains yet. However this was a mangement issue and decsion. I just inherited all the problems and fall out of said issue. I suppose it was a technological solution to a political problem. Now i was just trying to figure out of there was any hack to restore a child domain without root connectivity. In a real disaster, I'm sure common sense would prevail over politics and we would all work together, kinda like i imagined IT to be when i first got into it. Innocent boy that i was In the interim I thought there might be some way to test a recovery without the root. Some reg key or dns record to copy over... I guess not. Than you both again for your help. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Sat 3/27/2004 5:33 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Excellent post. I just wanted to jump in and reemphasize that point. Restoring a single domain of a forest in an isolated environment and expecting it to work is unrealistic. I agree with Guido in that you never should have been given admin rights into a domain of someone else's forest. You should have had OU privileges or just had your own forest entirely. - http://www.joeware.net http://www.joeware.net/(download joeware) http://www.cafeshops.com/joewarenet (wear joeware) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, March 25, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. That's not how AD is supposed to be - that's merely how you'd like to use it. Not necessarily the same. I agree that some companies may implement it this way especially in the early days of AD, but not after they understood that not the domain, but the forest is the security boundary. If you have no good working relationship with your mother corp and they're not really too fond of you either, they should have never offered you your own domain. You would have been a perfect candidate for a separate forest. However, if they still wanted to fully integrate you into their forest without trusting you to perform service-level operations (i.e. task that require domain admin privileges), they would have merely required to grant you management of one or a few OUs. If you like it or not, recovery of AD - in case of the disaster you describe, or in other disasters that go more towards deletion of objects - is an forest level task that usually requires enterprise admin privileges. I am not saying, that I don't think it would be nice if this wasn't the case, but once you learn to treat a domain as an integral part of a forest that should not be managed by a separate team of administrators, it doesn't make a difference. /Guido _ From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Donnerstag, 25. Mrz 2004 18:56 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery going to AD was something decided by the higher ups to merge my corp and our sister corp into a smealess whole. The sister corp already had AD in place and they own the root. our IT depts. don't exactly communicate or relate to each other very well :) i'm sure its like that in alot of places. before comming here, I was in a Netware 6.0 enviorment and feel that directory is much more mature in terms of configurabilty and satisfying all the business needs that AD does. i exagerrated when i said i would move from AD to NDS. its just that when my corp wants to do DR testing for our domain and we go away to the dr site and want to recreate most of our infrastructure from back up, etc, its fursttrating to have to go to our sister corp IT dept and ask them for the Domain admin or enterpris admin password or a copy of thier root role holding master dc on a laptop or vmware just to practise recovery of our domain and exchange2k. it seems MS made it so you can't recover a child domain without connectivity to the root. that kinda stinks. i can understand losing some functionality but still be up and running. however
RE: [ActiveDir] disaster recovery
Unfortunately no, no way to test in an isolated way like that without bringing at least the root with you and probably any other domains. I guess you need to find out how important this is. If it is truly critical to know this will work in a disaster you need to do one of two things. 1. Get the folks with the Enterprise keys involved and do overall testing of the whole solution. 2. Build your own forest and migrate to it and then set up trusts to the other forest/domains that are needed. I'm thinking honestly that the second answer is probably the right one UNLESS the company is trying to collapse to a single IT group in which the first option would be feasible. joe - http://www.joeware.net http://www.joeware.net/(download joeware) http://www.cafeshops.com/joewarenet (wear joeware) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Saturday, March 27, 2004 7:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery Guido and Joe, First of all, thank you for all your advice and help. You guys are absolutely right, we should have never gotten a domain if they didn't trust us with Enterprise admin rights over the forest. I assume they can't shake the Win NT view of domains yet. However this was a mangement issue and decsion. I just inherited all the problems and fall out of said issue. I suppose it was a technological solution to a political problem. Now i was just trying to figure out of there was any hack to restore a child domain without root connectivity. In a real disaster, I'm sure common sense would prevail over politics and we would all work together, kinda like i imagined IT to be when i first got into it. Innocent boy that i was In the interim I thought there might be some way to test a recovery without the root. Some reg key or dns record to copy over... I guess not. Than you both again for your help. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Sat 3/27/2004 5:33 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Excellent post. I just wanted to jump in and reemphasize that point. Restoring a single domain of a forest in an isolated environment and expecting it to work is unrealistic. I agree with Guido in that you never should have been given admin rights into a domain of someone else's forest. You should have had OU privileges or just had your own forest entirely. - http://www.joeware.net http://www.joeware.net/(download joeware) http://www.cafeshops.com/joewarenet (wear joeware) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, March 25, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. That's not how AD is supposed to be - that's merely how you'd like to use it. Not necessarily the same. I agree that some companies may implement it this way especially in the early days of AD, but not after they understood that not the domain, but the forest is the security boundary. If you have no good working relationship with your mother corp and they're not really too fond of you either, they should have never offered you your own domain. You would have been a perfect candidate for a separate forest. However, if they still wanted to fully integrate you into their forest without trusting you to perform service-level operations (i.e. task that require domain admin privileges), they would have merely required to grant you management of one or a few OUs. If you like it or not, recovery of AD - in case of the disaster you describe, or in other disasters that go more towards deletion of objects - is an forest level task that usually requires enterprise admin privileges. I am not saying, that I don't think it would be nice if this wasn't the case, but once you learn to treat a domain as an integral part of a forest that should not be managed by a separate team of administrators, it doesn't make a difference. /Guido _ From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Donnerstag, 25. Mrz 2004 18:56 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery going to AD was something decided by the higher ups to merge my corp and our sister corp into a smealess whole. The sister corp already had AD in place and they own the root. our IT depts. don't exactly communicate or relate to each other very well :) i'm sure its like that in alot of places. before comming here, I was in a Netware 6.0 enviorment and feel that directory is much more mature in terms of configurabilty and satisfying all the business needs that AD does. i exagerrated when i said i would move from AD to NDS
RE: [ActiveDir] disaster recovery
If you don't have the forest root DNS zone then you are missing the _msdcs zone which is needed for replication to occur. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Wednesday, March 24, 2004 1:35 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] disaster recovery I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with adsiedit and all dns records as well. then at the DR site, i set up new servers with the same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a replication. also, they fail a dcdiag because the guid dns name is not present and the server fails a directory request Also the srv records for kerberos and kpasswd do not appear in dns for my domain. The test laptop had an AD intergrated dns zone pulled directly from my real network. However, it just has the zone for my domain, not the forest root. do i need this record as well to promote DC's. I'm not connected to the forest anyway, but should i have the forest root records too. what am i doing wrong? thanks .+wYP.+j joryIV+v* ~mry?+-Emry?+-}brzm Vry-4ibb
RE: [ActiveDir] disaster recovery
Title: [ActiveDir] disaster recovery Just out of curiousity, why did you deploy a forest root structure? Why didn't you go with a single domain structure? Otherwise, Who manages the schema without the root? Who manages the domain naming master in your environment (both are at the root, right?) Who handles your time synch? Who holds the Enterprise Administrator permissions? from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx "Important: Backup data from a DC can only be used to restore that DC. You cannot use a backup of one DC to restore another. To have your environment completely backed up, you would need to have a backup of every domain controller. This should be kept in mind while developing your backup strategy. The minimum requirement should be to backup all the OM role holders and GCs. Also the first domain controller in the root domain should always be backed up." "Note: Because this procedure requires modifying the configuration naming context, it requires Enterprise Administrator permissions." Switching to something that works for you is certainly an understandable path to take but only if you understand that product better AND it solves your issues. IT is not about technology for technology sake it's about solving your business issues. If you need something else to make that happen, I'd be the first to tell you to go do it. This thread comes across as sticker shock as you go to do this. This is also why you want to practice thisstuff all the time; that way you are not surprised at 0200 when everything is down. Al From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 5:01 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery i don't need the schema or domain naming roles to restore my domain. i have all the other roles. yet it still has issues with finding a gc or replicating within a domain. why? this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or even a test, MS expects you to have connectivity to your root domain wherever it may be(on the other side of the world) AND access to that domains Admin passwords or accounts OR enterprise admin just to get up and running, then they are clearly not living in this world. AD was meant for the enterprise where a corp could have offices and domains all over the world. if in the event of disaster, we have to worry about isdn or T1 lines to the root and overcome all the politics of diff IT depts and security to beg for the enterprise password(even just for a simple test) JUST to get functional(not add or delete domains or modify the schema), then i'm ready to ditch AD for NDS or something more realistic. what other reason could I have to connect to the root? what other secrets does it hold aside from the 2 roles? does anyone know? why doesn't MS tell you these things in their DR documentation? is it so obivious? why is connectivity to the root never mentioned as key? am i the idiot? i'm willing to accept that, but what else does the root dc hold in terms of AD functionality? thank you for all your help so far. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 4:28 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] disaster recovery No, you need the root domain as it holds some of the roles etc. In order for this to work, you need to restore the root domain as well. I've found that doing this with a virtual server is sometimes easier but that just saves on hardware requirements. Al From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery yes. a quick question- can one restore an entire child domain without connectivity to the root domain? -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery You Zones is setting for Dynamic Updates = YES??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: quarta-feira, 24 de maro de 2004 16:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -Original Message- From: An
RE: [ActiveDir] disaster recovery
going to AD was something decided by the higher ups to merge my corp and our sister corp into a smealess whole. The sister corp already had AD in place and they own the root. our IT depts. don't exactly communicate or relate to each other very well :) i'm sure its like that in alot of places. before comming here, I was in a Netware 6.0 enviorment and feel that directory is much more mature in terms of configurabilty and satisfying all the business needs that AD does. i exagerrated when i said i would move from AD to NDS. its just that when my corp wants to do DR testing for our domain and we go away to the dr site and want to recreate most of our infrastructure from back up, etc, its fursttrating to have to go to our sister corp IT dept and ask them for the Domain admin or enterpris admin password or a copy of thier root role holding master dc on a laptop or vmware just to practise recovery of our domain and exchange2k. it seems MS made it so you can't recover a child domain without connectivity to the root. that kinda stinks. i can understand losing some functionality but still be up and running. however to make it impossible to get up at all without the root fsmo dc is I think something that needs to be addressed. in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and want to recover them OR you lost the entire forest. they really don't address losing a child domain. Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. If one corp goes down, in MS's implementation, this corp has to get in touch with the IT dept of the root, be allowed high access to the forest OR have someone from that other IT dept free enough to come down for security reasons and log in himself as enterprise admin. also some physical connectivity is implied... All in the middel of a disaster OR just to test and practice for said disaster. thats asking for alot of any large company. MS should know how unrealistic this is more than anyone. my pointless two cents. thanks for reading and replying before -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 3/25/2004 10:20 AM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] disaster recovery Just out of curiousity, why did you deploy a forest root structure? Why didn't you go with a single domain structure? Otherwise, Who manages the schema without the root? Who manages the domain naming master in your environment (both are at the root, right?) Who handles your time synch? Who holds the Enterprise Administrator permissions? from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx Important: Backup data from a DC can only be used to restore that DC. You cannot use a backup of one DC to restore another. To have your environment completely backed up, you would need to have a backup of every domain controller. This should be kept in mind while developing your backup strategy. The minimum requirement should be to backup all the OM role holders and GCs. Also the first domain controller in the root domain should always be backed up. Note: Because this procedure requires modifying the configuration naming context, it requires Enterprise Administrator permissions. Switching to something that works for you is certainly an understandable path to take but only if you understand that product better AND it solves your issues. IT is not about technology for technology sake it's about solving your business issues. If you need something else to make that happen, I'd be the first to tell you to go do it. This thread comes across as sticker shock as you go to do this. This is also why you want to practice this stuff all the time; that way you are not surprised at 0200 when everything is down. Al _ From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 5:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery i don't need the schema or domain naming roles to restore my domain. i have all the other roles. yet it still has issues with finding a gc or replicating within a domain. why? this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or even a test, MS expects you to have connectivity to your root domain wherever it may be(on the other side of the world) AND access to that domains Admin passwords or accounts OR enterprise admin just to get up and running, then they are clearly not living in this world
RE: [ActiveDir] disaster recovery
Title: [ActiveDir] disaster recovery Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. That's not how AD is supposed to be - that's merely how you'd like to use it. Not necessarily the same. I agree that some companies may implement it this way especially in the early days of AD, but not after they understood that not the domain, but the forest is the security boundary. If you have no good working relationship with your mother corp and they're not really too fond of you either, they should have never offered you your own domain. You would have been a perfect candidate for a separate forest. However, if they still wanted to fully integrate you into their forest without trusting you to perform service-level operations (i.e. task that require domain admin privileges), they would have merely required to grant you management of one or a few OUs. If you like it or not, recovery of AD - in case of the disaster you describe, or in other disasters that go more towards deletion of objects - is an forest level task that usually requires enterprise admin privileges. I am not saying, that I don't think it would be nice if this wasn't the case, but once you learn to treat a domain as an integral part of a forest that should not be managed by a separate team of administrators, it doesn't make a difference. /Guido From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Donnerstag, 25. Mrz 2004 18:56To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery going to AD was something decided by the higher ups to merge my corp and our sister corp into a smealess whole. The sister corp already had AD in place and they own the root. our IT depts. don't exactly communicate or relate to each other very well :) i'm sure its like that in alot of places. before comming here, I was in a Netware 6.0 enviorment and feel that directory is much more mature in terms of configurabilty and satisfying all the business needs that AD does. i exagerrated when i said i would move from AD to NDS. its just that when my corp wants to do DR testing for our domain and we go away to the dr site and want to recreate most of our infrastructure from back up, etc, its fursttrating to have to go to our sister corp IT dept and ask them for the Domain admin or enterpris admin password or a copy of thier root role holding master dc on a laptop or vmware just to practise recovery of our domain and exchange2k. it seems MS made it so you can't recover a child domain without connectivity to the root. that kinda stinks. i can understand losing some functionality but still be up and running. however to make it impossible to get up at all without the root fsmo dc is I think something that needs to be addressed. in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and want to recover them OR you lost the entire forest. they really don't address losing a child domain. Ad is supposed to be a enterprise directory where most enterprises span the globe and have multiple sister corps or corps they've merged with or aquired. these corps have thier own domains and IT depts. If one corp goes down, in MS's implementation, this corp has to get in touch with the IT dept of the root, be allowed high access to the forest OR have someone from that other IT dept free enough to come down for security reasons and log in himself as enterprise admin. also some physical connectivity is implied... All in the middel of a disaster OR just to test and practice for said disaster. thats asking for alot of any large company. MS should know how unrealistic this is more than anyone. my pointless two cents. thanks for reading and replying before -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Thu 3/25/2004 10:20 AM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] disaster recovery Just out of curiousity, why did you deploy a forest root structure? Why didn't you go with a single domain structure? Otherwise, Who manages the schema without the root? Who manages the domain naming master in your environment (both are at the root, right?) Who handles your time synch? Who holds the Enterprise Administrator permissions? from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx "Important: Backup data from a DC can only be used to restore that DC. You cannot use a backup of one DC to restore another. To have your environment completely backed up, you would need to have a backup of every domain controller. This should be kept in mind while developing your backup strategy. The minimum requirement should be to backup all the OM role holders and GCs. Also the first domain controller in the root domain s
RE: [ActiveDir] disaster recovery
restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Hi Tom, All register of AD Zones can recover with two comand: restart netlogon service or ipconfig /registerdns and all workstation will update your register in dns, or dhcp will .. In Windows 2000 is interesting you have a secondary zone of your root in your local dns server, In Windows 2003 you can set dns zone to level Forest then this zone is replicated for all domain controller in the forest. Thanks for advanced. Anderson Patricio - Analista de Suporte [EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] Microsoft Certified Systems Engineer on 2003/2000 Microsoft Certified Systems Administrator on 2003/2000 Red Hat Certified Technician _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: quarta-feira, 24 de maro de 2004 16:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery i also get a all gc's are down error. gc records are just registered in the root domain, i assume. i only have a dns for my domain. also dcdiag output says the server is not responding to directory service requests though it holds a copy of AD. how can i get around this? do i need a copy of the root dns zone? how can i get this? can i export it to a text file and import it into my dns server? can i somehow pull it from the config container in AD without being connected to the root of the tree? is this the cause of my woes? it would be insane on MS's part to demand connectivity to the root of the forest when restoring or doing DR on AD. what did i screw up? Thanks again for any help -Original Message- From: Kern, Tom Sent: Wed 3/24/2004 1:34 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] disaster recovery I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with adsiedit and all dns records as well. then at the DR site, i set up new servers with the same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a replication. also, they fail a dcdiag because the guid dns name is not present and the server fails a directory request Also the srv records for kerberos and kpasswd do not appear in dns for my domain. The test laptop had an AD intergrated dns zone pulled directly from my real network. However, it just has the zone for my domain, not the forest root. do i need this record as well to promote DC's. I'm not connected to the forest anyway, but should i have the forest root records too. what am i doing wrong? thanks .+wYP.+j joryIV+v* winmail.dat
RE: [ActiveDir] disaster recovery
Title: [ActiveDir] disaster recovery You Zones is setting for Dynamic Updates = YES??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: quarta-feira, 24 de maro de 2004 16:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Hi Tom, All register of AD Zones can recover with two comand: restart netlogon service or ipconfig /registerdns and all workstation will update your register in dns, or dhcp will .. In Windows 2000 is interesting you have a secondary zone of your root in your local dns server, In Windows 2003 you can set dns zone to level Forest then this zone is replicated for all domain controller in the forest. Thanks for advanced. Anderson Patricio- Analista de Suporte[EMAIL PROTECTED] Microsoft Certified Systems Engineer on 2003/2000 Microsoft Certified Systems Administrator on 2003/2000 Red Hat Certified Technician From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: quarta-feira, 24 de maro de 2004 16:03To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery i also get a "all gc's are down" error. gc records are just registered in the root domain, i assume. i only have a dns for my domain. also dcdiag output says "the server is not responding to directory service requests" though it holds a copy of AD. how can i get around this? do i need a copy of the root dns zone? how can i get this? can i export it to a text file and import it into my dns server? can i somehow pull it from the config container in AD without being connected to the root of the tree? is this the cause of my woes? it would be insane on MS's part to demand connectivity to the root of the forest when restoring or doing DR on AD. what did i screw up? Thanks again for any help -Original Message- From: Kern, Tom Sent: Wed 3/24/2004 1:34 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] disaster recovery I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with adsiedit and all dns records as well. then at the DR site, i set up new servers with the same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a replication. also, they fail a dcdiag because the guid dns name is not present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns for my domain. The test laptop had an AD intergrated dns zone pulled directly from my real network. However, it just has the zone for my domain, not the forest root. do i need this record as well to promote DC's. I'm not connected to the forest anyway, but should i have the forest root records too. what am i doing wrong? thanks .+wYP.+j joryIV+v*
RE: [ActiveDir] disaster recovery
yes. a quick question- can one restore an entire child domain without connectivity to the root domain? -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery You Zones is setting for Dynamic Updates = YES??? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: quarta-feira, 24 de maro de 2004 16:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Hi Tom, All register of AD Zones can recover with two comand: restart netlogon service or ipconfig /registerdns and all workstation will update your register in dns, or dhcp will .. In Windows 2000 is interesting you have a secondary zone of your root in your local dns server, In Windows 2003 you can set dns zone to level Forest then this zone is replicated for all domain controller in the forest. Thanks for advanced. Anderson Patricio - Analista de Suporte [EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] Microsoft Certified Systems Engineer on 2003/2000 Microsoft Certified Systems Administrator on 2003/2000 Red Hat Certified Technician _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: quarta-feira, 24 de maro de 2004 16:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery i also get a all gc's are down error. gc records are just registered in the root domain, i assume. i only have a dns for my domain. also dcdiag output says the server is not responding to directory service requests though it holds a copy of AD. how can i get around this? do i need a copy of the root dns zone? how can i get this? can i export it to a text file and import it into my dns server? can i somehow pull it from the config container in AD without being connected to the root of the tree? is this the cause of my woes? it would be insane on MS's part to demand connectivity to the root of the forest when restoring or doing DR on AD. what did i screw up? Thanks again for any help -Original Message- From: Kern, Tom Sent: Wed 3/24/2004 1:34 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] disaster recovery I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with adsiedit and all dns records as well. then at the DR site, i set up new servers with the same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a replication. also, they fail a dcdiag because the guid dns name is not present and the server fails a directory request Also the srv records for kerberos and kpasswd do not appear in dns for my domain. The test laptop had an AD intergrated dns zone pulled directly from my real network. However, it just has the zone for my domain, not the forest root. do i need this record as well to promote DC's. I'm not connected to the forest anyway
RE: [ActiveDir] disaster recovery
Title: [ActiveDir] disaster recovery No, you need the root domain as it holds some of the roles etc. In order for this to work, you need to restore the root domain as well. I've found that doing this with a virtual server is sometimes easier but that just saves on hardware requirements. Al From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery yes. a quick question- can one restore an entire child domain without connectivity to the root domain? -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery You Zones is setting for Dynamic Updates = YES??? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: quarta-feira, 24 de maro de 2004 16:47To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Hi Tom, All register of AD Zones can recover with two comand: restart netlogon service or ipconfig /registerdns and all workstation will update your register in dns, or dhcp will .. In Windows 2000 is interesting you have a secondary zone of your root in your local dns server, In Windows 2003 you can set dns zone to level Forest then this zone is replicated for all domain controller in the forest. Thanks for advanced. Anderson Patricio- Analista de Suporte[EMAIL PROTECTED] Microsoft Certified Systems Engineer on 2003/2000 Microsoft Certified Systems Administrator on 2003/2000 Red Hat Certified Technician From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: quarta-feira, 24 de maro de 2004 16:03To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster recovery i also get a "all gc's are down" error. gc records are just registered in the root domain, i assume. i only have a dns for my domain. also dcdiag output says "the server is not responding to directory service requests" though it holds a copy of AD. how can i get around this? do i need a copy of the root dns zone? how can i get this? can i export it to a text file and import it into my dns server? can i somehow pull it from the config container in AD without being connected to the root of the tree? is this the cause of my woes? it would be insane on MS's part to demand connectivity to the root of the forest when restoring or doing DR on AD. what did i screw up? Thanks again for any help -Original Message- From: Kern, Tom Sent: Wed 3/24/2004 1:34 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] disaster recovery I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with adsiedit and all dns records as well. then at the DR site, i set up new servers with the same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a replication. also, they fail a dcdiag because the guid dns name is not present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns for my domain. The test laptop had an AD intergrated dns zone pulled directly from my real network. However, it just has the zone for my domain, not the forest root. do i need this record as well to promote DC's. I'm not connected to the forest anyway, but should i have the forest root records too. what am i doing wrong? thanks .+wYP.+j joryIV+v*
RE: [ActiveDir] disaster recovery
i don't need the schema or domain naming roles to restore my domain. i have all the other roles. yet it still has issues with finding a gc or replicating within a domain. why? this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or even a test, MS expects you to have connectivity to your root domain wherever it may be(on the other side of the world) AND access to that domains Admin passwords or accounts OR enterprise admin just to get up and running, then they are clearly not living in this world. AD was meant for the enterprise where a corp could have offices and domains all over the world. if in the event of disaster, we have to worry about isdn or T1 lines to the root and overcome all the politics of diff IT depts and security to beg for the enterprise password(even just for a simple test) JUST to get functional(not add or delete domains or modify the schema), then i'm ready to ditch AD for NDS or something more realistic. what other reason could I have to connect to the root? what other secrets does it hold aside from the 2 roles? does anyone know? why doesn't MS tell you these things in their DR documentation? is it so obivious? why is connectivity to the root never mentioned as key? am i the idiot? i'm willing to accept that, but what else does the root dc hold in terms of AD functionality? thank you for all your help so far. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 4:28 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] disaster recovery No, you need the root domain as it holds some of the roles etc. In order for this to work, you need to restore the root domain as well. I've found that doing this with a virtual server is sometimes easier but that just saves on hardware requirements. Al _ From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery yes. a quick question- can one restore an entire child domain without connectivity to the root domain? -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery You Zones is setting for Dynamic Updates = YES??? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: quarta-feira, 24 de maro de 2004 16:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -Original Message- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Hi Tom, All register of AD Zones can recover with two comand: restart netlogon service or ipconfig /registerdns and all workstation will update your register in dns, or dhcp will .. In Windows 2000 is interesting you have a secondary zone of your root in your local dns server, In Windows 2003 you can set dns zone to level Forest then this zone is replicated for all domain controller in the forest. Thanks for advanced. Anderson Patricio - Analista de Suporte [EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] Microsoft Certified Systems Engineer on 2003/2000 Microsoft Certified
RE: [ActiveDir] Disaster Recovery Test
is the DC used for other things that you'd like to recover on the server? If not, I would definitely chime into Al's suggestions = don't restore it (if another DC is available), instead install a new OS and re-promote it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 19:41 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Test
And I will chain into Guido's response with - don't put anything else on a DC. Here is yet another reason if security and stability of your company wasn't enough. :o) Sorry, been working a lot; just happened to see this as I was popping through my email folders and it was a quick response from the podium I could send. :oP - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test is the DC used for other things that you'd like to recover on the server? If not, I would definitely chime into Al's suggestions = don't restore it (if another DC is available), instead install a new OS and re-promote it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 19:41 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Test
The server is our bridge head - fizzmo master for the network. We are here at sungard trying to restore critical server in case of a fire. When I restore my bridge (I have 5 other DCs at my remote locations and they are not here), I get those errors in the log. No other server is available so I can repromote it. I have told my bosses this but they want to perform as if our wan is down. Any thoughts? Is this possible to restoere the server without the others online? Thanks Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test is the DC used for other things that you'd like to recover on the server? If not, I would definitely chime into Al's suggestions = don't restore it (if another DC is available), instead install a new OS and re-promote it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 19:41 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Test
The machine is only a DC. Nothing else (Well, DNS server - active directory integrated.) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, February 27, 2004 9:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test And I will chain into Guido's response with - don't put anything else on a DC. Here is yet another reason if security and stability of your company wasn't enough. :o) Sorry, been working a lot; just happened to see this as I was popping through my email folders and it was a quick response from the podium I could send. :oP - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test is the DC used for other things that you'd like to recover on the server? If not, I would definitely chime into Al's suggestions = don't restore it (if another DC is available), instead install a new OS and re-promote it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 19:41 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org
RE: [ActiveDir] Disaster Recovery Test
Jennifer- We've done these drills and after a few bumpy starts, it's not a big deal anymore. You will likely have to do a metadata cleanup to remove references to the other (unavailable) DCs, unless you plan to restore them as well. http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 We haven't seen the DNS issue that you're hitting. After you restore the DC, can you see the DNS zone for your AD namespace in the DNS snap-in? Is it there but empty? Dynamic updates enabled? Is the restored DC pointing to itself for DNS, and are the IP addresses correct? Hunter -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Friday, February 27, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test The server is our bridge head - fizzmo master for the network. We are here at sungard trying to restore critical server in case of a fire. When I restore my bridge (I have 5 other DCs at my remote locations and they are not here), I get those errors in the log. No other server is available so I can repromote it. I have told my bosses this but they want to perform as if our wan is down. Any thoughts? Is this possible to restoere the server without the others online? Thanks Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test is the DC used for other things that you'd like to recover on the server? If not, I would definitely chime into Al's suggestions = don't restore it (if another DC is available), instead install a new OS and re-promote it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 19:41 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] Disaster Recovery Test
Thanks for all the information. We got it working! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, February 27, 2004 2:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test Bingo! DNS isn't coming up until SYSVOL comes up, and SYSVOL isn't coming up until AD contacts it's replication partners. Solution, as per Mr. Coleman's note is to remove references to the other non-restored DCs. This is tedious for more than a few DCs, but straight-forward (the guy that wrote ntdsutil MUST have been a COBOL programmer). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, February 27, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Jennifer- We've done these drills and after a few bumpy starts, it's not a big deal anymore. You will likely have to do a metadata cleanup to remove references to the other (unavailable) DCs, unless you plan to restore them as well. http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498 We haven't seen the DNS issue that you're hitting. After you restore the DC, can you see the DNS zone for your AD namespace in the DNS snap-in? Is it there but empty? Dynamic updates enabled? Is the restored DC pointing to itself for DNS, and are the IP addresses correct? Hunter -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Friday, February 27, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test The server is our bridge head - fizzmo master for the network. We are here at sungard trying to restore critical server in case of a fire. When I restore my bridge (I have 5 other DCs at my remote locations and they are not here), I get those errors in the log. No other server is available so I can repromote it. I have told my bosses this but they want to perform as if our wan is down. Any thoughts? Is this possible to restoere the server without the others online? Thanks Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Friday, February 27, 2004 9:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test is the DC used for other things that you'd like to recover on the server? If not, I would definitely chime into Al's suggestions = don't restore it (if another DC is available), instead install a new OS and re-promote it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 19:41 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Test Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones
RE: [ActiveDir] Disaster Recovery Test
So, where's the DNS server for domain.net? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer FountainSent: Wed 2/25/2004 8:35 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in "Normal" mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type "NTDSUTIL" and then press ENTER. 10. Type "AUTHORITATIVE RESTORE" and then press ENTER. 11. Type "RESTORE DATABASE", press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the "main" AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Test
It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery Test
Why would you want to restore a dc in a domain that already has a working dc? That seems like a waste of time and a big risk for the most part unles there's a specific scenario that made you want to go that route. Is AD integrated? If not, did you backup/restore the domain zone file? Why restore the DNS zone file if you have a working one? Why not transfer it? I know, I'm full of questions, but I'm trying to understand the scenario. :) -Original Message- From: Jennifer Fountain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test It's on the same box and it's running. I do have multiple DCs in my domain and I am only restoring this one. I assume this is the problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba Sent: Wednesday, February 25, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery Test So, where's the DNS server for domain.net? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Active Directory www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jennifer Fountain Sent: Wed 2/25/2004 8:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Disaster Recovery Test Hi Guys/Gals I have hit a road block on my disaster recovery test on my test box. Here is what I have done: 1. Install Windows 2000 2. Install latest Service Pack 5. Restore C, D and system state while in Normal mode. Deselect boot.ini, ntldr and ntdetect.com before restoring. 6. BEFORE YOU REBOOT, DO THE FOLLOWING: * Remove any NIC drivers * Remove any Video drivers 7. Reboot into Directory Services Repair Mode 8. Log in as the Directory Service Repair userid 9. At a command prompt, type NTDSUTIL and then press ENTER. 10. Type AUTHORITATIVE RESTORE and then press ENTER. 11. Type RESTORE DATABASE, press ENTER, click OK, and then click Yes. 12. Reboot and confirm the restore was successful. When I boot, I cannot access the DNS for my local zone. I have 4 zones, domain.net, domain1.net etc. I can nslookup all the other domains but not the domain.net which is the main AD domain (when I look at system properties, I do see the domain as domain.net) Any thoughts on what I did wrong? This is different hardware, I did not install DNS prior and I did not create the AD infrastructure prior to reinstalling. Kind Regards, Jennifer Fountain 3400 E. Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Disaster Recovery
Hello, Please log on again in DSRM mode or use something like Winternals sysadmin pack to check the eventlog. Maybe networking is off due to different hardware or SYSVOL/RID problems. Fons -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
I would be really curious to know what if any traffic was being sent from that box across the network. I do agree that a domain admin should be able to log on without the GC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Thursday, February 05, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery He should be possible to log on locally as a domain admin without needing a GC. Without DNS it should also be possible although its very slow Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, February 05, 2004 02:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
Sorry for my ignorance, but how do you disable the requirement for needing a GC? We're still struggling with this process of restoring a DC. Thanks, Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, February 04, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
Assuming you're W2K: http://support.microsoft.com/default.aspx?scid=kb;[LN];241789 Tony -- Original Message -- From: Rimmerman, Russ [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 5 Feb 2004 08:25:35 -0600 Sorry for my ignorance, but how do you disable the requirement for needing a GC? We're still struggling with this process of restoring a DC. Thanks, Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, February 04, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
Hi Russ, Check out the following: Q216970: Global Catalog Server Requirement for User and Computer Logon Q241789: How to Disable the Requirement that a Global Catalog Server Be Available to Validate User Logons Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Thursday, February 05, 2004 15:26 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster Recovery Sorry for my ignorance, but how do you disable the requirement for needing a GC? We're still struggling with this process of restoring a DC. Thanks, Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, February 04, 2004 7:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
He should be possible to log on locally as a domain admin without needing a GC. Without DNS it should also be possible although its very slow Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, February 05, 2004 02:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster Recovery more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Disaster Recovery
What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster Recovery
more likely the missing GC, than DNS, when you're local on the box. So disabling the requirement for needing a GC may be worthwhile for your situation as an interims solution. /Guido -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 4. Februar 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster Recovery What does the DNS info look like? In other words, is the machine pointing to itself for DNS resolution or another machine? If the DC is not configured as a GC you will not be able to log in unless you are using a domain admin account, or have implemented the registry hack to disable GC login requirement. Tony -- Original Message -- Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI Reply-To: [EMAIL PROTECTED] Date: Wed, 4 Feb 2004 08:13:25 -0600 We're having an issue testing our disaster recovery plan. We backed up our FSMO role holding domain controller including system state, dns, dhcp - all services that were on the box. We then restored it onto a server in our lab (in DSRestore mode and off the production network), and it restored OK, but it won't let us log into the domain - it's saying the domain isn't available (even though it's a domain controller we're trying to log into!) Any ideas? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
That was my major concern too Hunter. Although we have not seen this in the lab, I am wondering in a more complex environment (like production) if the beast will rear it's ugly head then. That would be bad, very bad. Btw, thanks to all of you for the comments and scenario recommendations. Much appreciated! Dave -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 10:40 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. My biggest concern in this case is that you end up with an offline backup of the AD database, so you could be happily backing up a database with page-level corruption. Running a couple of virtual DCs on different physical hardare should minimize the risk of -1018 errors, though. Has anyone seen low level corruption of an ntds.dit database? Hunter -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. Actually VMWare or more likely Virtual Server are what we are *starting* to look at for a DR system. Basically the idea is to have a couple of nice sized Physical Servers running multiple virtual servers that are domain controllers for all Domains in the Forest. Every night one of the P-Servers shuts down all of the Virtuals and copies off the disk images to some other location for backup to tape. The next night the other P-Server does it. The beauty of this solution is that physical hardware becomes a lot less important for your DR site or your test lab (yes you could bring these images back up in a *segragated* test lab for testing of your production AD and data...). You simply load up your server and then install your virtualization software and then fire up your images and you are off to the races... We actually just got the hardware in for this, which we will use to develop the solution against the test environment and then once comfortable with it will go prod with it. Personally I think this is about the most flexible and safe DR solution you can have. I am not one for restoring AD from system state dumps. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P. Sent: Friday, August 08, 2003 7:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. That would obviously kill the ghost image idea. I do however like the laptop and more graceful way of transferring roles at the DR site. I think I hear the chimes of VMWare ESX Server calling. Thanks for the feedback Don. I see another idea in my head now too. Alas, it's Friday and I'm late for Happy Hour -Dave -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC
RE: [ActiveDir] Disaster recovery scenario comments requested.
Don- We're in the same spot, with production DCs running on Dell and DR hardware often being Compaq. We've found that KB810161 (http://support.microsoft.com/default.aspx?scid=kb;en-us;810161) has been important to successfully accomplishing the restores. Recently, we've also found that building the Compaq boxes with a SmartStart CD, instead of using an OS CD + specific drivers, to be much less painful. The IBM boxes that we've done test restores to have been less picky. Hunter -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC as it was re-imaged previous to the PDC emulator roll seizure. Our lab environment is a fraction of the capacity of our Production and not as complex. Can anyone see any problems arising down the road by doing a DR process like this? The other option planned is to already have the workstations and DR environments created in a separate OU so that in a DR situation we just need to let the site that is disconnected stay disconnected and then catch up on replication when it comes back. This is my preferred method of how to handle our DR woes, but unfortunately we are not there yet. I am only looking for feedback or you to play devil's advocate on the above situation we currently have in place. Thank you in advance for your comments. Regards, David Chianese Senior Engineer IT - Server Services Delaware Investments *Powered By Research A Member of the Lincoln Financial Group This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
Jan, Do you know if they have published a paper or some detail on this process? Naturally, I'm interested in what they are proposing. Currently, their full-fledged technical document is slated for March 2004, which, IMHO, is way too late. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Sunday, August 10, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster recovery scenario comments requested. Just as an aside here - MS of course displayed their VM server at tech ed - one nice idea was DR for Exchange 2003 - you would basically generate a new email server in minutes on a VM - users are then back online and you then begin to backfill their email from tape. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Disaster recovery scenario comments requested.
Just as an aside here - MS of course displayed their VM server at tech ed - one nice idea was DR for Exchange 2003 - you would basically generate a new email server in minutes on a VM - users are then back online and you then begin to backfill their email from tape. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC as it was re-imaged previous to the PDC emulator roll seizure. Our lab environment is a fraction of the capacity of our Production and not as complex. Can anyone see any problems arising down the road by doing a DR process like this? The other option planned is to already have the workstations and DR environments created in a separate OU so that in a DR situation we just need to let the site that is disconnected stay disconnected and then catch up on replication when it comes back. This is my preferred method of how to handle our DR woes, but unfortunately we are not there yet. I am only looking for feedback or you to play devil's advocate on the above situation we currently have in place. Thank you in advance for your comments. Regards, David Chianese Senior Engineer IT - Server Services Delaware Investments *Powered By Research A Member of the Lincoln Financial Group This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
My biggest concern in this case is that you end up with an offline backup of the AD database, so you could be happily backing up a database with page-level corruption. Running a couple of virtual DCs on different physical hardare should minimize the risk of -1018 errors, though. Has anyone seen low level corruption of an ntds.dit database? Hunter -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 9:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. Actually VMWare or more likely Virtual Server are what we are *starting* to look at for a DR system. Basically the idea is to have a couple of nice sized Physical Servers running multiple virtual servers that are domain controllers for all Domains in the Forest. Every night one of the P-Servers shuts down all of the Virtuals and copies off the disk images to some other location for backup to tape. The next night the other P-Server does it. The beauty of this solution is that physical hardware becomes a lot less important for your DR site or your test lab (yes you could bring these images back up in a *segragated* test lab for testing of your production AD and data...). You simply load up your server and then install your virtualization software and then fire up your images and you are off to the races... We actually just got the hardware in for this, which we will use to develop the solution against the test environment and then once comfortable with it will go prod with it. Personally I think this is about the most flexible and safe DR solution you can have. I am not one for restoring AD from system state dumps. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P. Sent: Friday, August 08, 2003 7:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. That would obviously kill the ghost image idea. I do however like the laptop and more graceful way of transferring roles at the DR site. I think I hear the chimes of VMWare ESX Server calling. Thanks for the feedback Don. I see another idea in my head now too. Alas, it's Friday and I'm late for Happy Hour -Dave -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC as it was re-imaged previous to the PDC emulator roll seizure. Our lab environment is a fraction of the capacity of our Production and not as complex. Can anyone see any problems arising down the road by doing a DR process like this? The other option planned is to already have the workstations and DR environments created in a separate OU so that in a DR situation we just need to let the site that is disconnected stay disconnected and then catch up on replication when it comes back. This is my preferred method of how to handle
RE: [ActiveDir] Disaster recovery scenario comments requested.
That would obviously kill the ghost image idea. I do however like the laptop and more graceful way of transferring roles at the DR site. I think I hear the chimes of VMWare ESX Server calling. Thanks for the feedback Don. I see another idea in my head now too. Alas, it's Friday and I'm late for Happy Hour -Dave -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption of service. Now, here is the hard part. when DR is over we disconnect the DR DC from the wire and delpart.exe (format/fdisk for ntfs) all of the partitions. The site that was down is then restored and the PDC emulator roll is back to its original state. We then take the DR DC and apply a ghosted image of the server as it was when it was first dcpromo'd and let it catch up on replication. This so far has worked flawlessly in the lab. We avoid doing the metadata cleanup of the server since nothing has really changed on the DR DC as it was re-imaged previous to the PDC emulator roll seizure. Our lab environment is a fraction of the capacity of our Production and not as complex. Can anyone see any problems arising down the road by doing a DR process like this? The other option planned is to already have the workstations and DR environments created in a separate OU so that in a DR situation we just need to let the site that is disconnected stay disconnected and then catch up on replication when it comes back. This is my preferred method of how to handle our DR woes, but unfortunately we are not there yet. I am only looking for feedback or you to play devil's advocate on the above situation we currently have in place. Thank you in advance for your comments. Regards, David Chianese Senior Engineer IT - Server Services Delaware Investments *Powered By Research A Member of the Lincoln Financial Group This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Disaster recovery scenario comments requested.
Joe, David, all - Interestingly, we've been looking at exactly the same thing, due to our remote site environment and network infrastructure, we could use any remote as a DR site. Given this, there is some level of non-consistent hardware in the remote sites and we needed a solution that would allow a majority of core business resumption is the shortest time. VMWare or some 'virtual server' technology clearly is at the forefront of our thoughts. It simply means that a quick install or startup of the services associated with the VM and the 'import', if you will, of the image created at a timely period CAN be the best possible recovery. At the worst, it will give you the needed time to recover systems that one might consider more traditional and would be used for on-going long term business. At the best, it might provide a model that could transform some systems to a different model, as the actual running of the systems for business resumption provide a 'trial-by-fire' proof that VM servers are viable alternatives for some functions. However, our testing continues - and it's interesting to hear the opinions and reactions of those who are confused by the fact that it is possible to run multiple servers on one physical machine. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, August 08, 2003 10:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. Actually VMWare or more likely Virtual Server are what we are *starting* to look at for a DR system. Basically the idea is to have a couple of nice sized Physical Servers running multiple virtual servers that are domain controllers for all Domains in the Forest. Every night one of the P-Servers shuts down all of the Virtuals and copies off the disk images to some other location for backup to tape. The next night the other P-Server does it. The beauty of this solution is that physical hardware becomes a lot less important for your DR site or your test lab (yes you could bring these images back up in a *segragated* test lab for testing of your production AD and data...). You simply load up your server and then install your virtualization software and then fire up your images and you are off to the races... We actually just got the hardware in for this, which we will use to develop the solution against the test environment and then once comfortable with it will go prod with it. Personally I think this is about the most flexible and safe DR solution you can have. I am not one for restoring AD from system state dumps. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P. Sent: Friday, August 08, 2003 7:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. That would obviously kill the ghost image idea. I do however like the laptop and more graceful way of transferring roles at the DR site. I think I hear the chimes of VMWare ESX Server calling. Thanks for the feedback Don. I see another idea in my head now too. Alas, it's Friday and I'm late for Happy Hour -Dave -Original Message- From: Don Guyer [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. David, We use similar methodology for our DR tests, by keeping a laptop running as a DC on our live network, then transferring FSMO roles at the DR site. This has worked flawlessly for us. We are now looking to be able to restore our AD evironment to a totally different server. Problem is, when we do DR testing we usually get Compaq hardware, whereas we are a Dell shop here. Don Guyer IS Dept Citadel FCU Ph: 610.380.7072 Fax: 610.380.7008 [EMAIL PROTECTED] -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Disaster recovery scenario comments requested. All, I want to run this DR situation by the group and see if anyone else can identify any gotcha's in the process. We are currently testing out a DR scenario that involves off-site Domain controllers at a recovery center. During normal operations the DR DC's are linked to our network via VPN and fractional T1 line in order for replication to occur. When we declare a DR test or go into a live DR situation where one of our sites becomes unavailable for an extended period of time due to an outage, network issue or terrorist incident (remember 9/11?) we bring the DR site up, seize the PDC emulator roll (to add workstations, accounts and perform other urgent replication) and let our clients continue operations in all of our remote locations with little interruption
RE: [ActiveDir] Disaster recovery scenario comments requested.
. Troubleshooting Troubleshooting is more a tactical skill now a day. It used to be a operations skill, but with so many functions that need to be managed, you can't rely on the same tech's to plan and troubleshoot the technology to also maintain them. Something has to give. To be a good troubleshooter you need to know network, hardware, OS, and ultimately application troubleshooting. You have to know your own abilities, be willing to grow, think differently, research, test, and ultimately execute. Also you can't plan for things you can see. A good reporting package is a must. Bindview Control has good reporting tools for both Exchange and also security. Aelita In-trust is also another good utility. Quest also has a pretty good tool for interactive troubleshooting called Spotlight. It is like perfmon on steroids. Also proactive Monitoring is a must. MOM, or NetIQ's appmanager are good tools to monitor your environment with. Mom is more event driven and can fire off resolutions. Appmanager is more historic information gathering. It is basically good to tell you something broke, and then allows you to research the historic information. Troubleshooting Exchange can be a challenge, because most of the problems come from the client side. You need to be able to collect data from a client perspective and the server's perspective, see what systems are in between and determine if it is a network bottleneck, or a hardware bottleneck. Knowing the protocols, how they act, and how they act when there is problems, is a very important thing to understand. Also understanding quirks of the systems and software is also good knowledge. Documentation and contacts are also a valuable tool. I highly recommend that you look at Chris Wolf's newest book, Troubleshooting Microsoft Technologies for further information. He is also working on a book for Enterprise troubleshooting. Conclusion I have been in 7 disasters in my lifetime. I used to work at a hospital as an orderly; train wrecks, blizzards, and patient's coding taught me that you have to work together in order to protect and heal people. In IT, I was a veteran of I Love You, Several Data Disasters, 9/11 and most recently SQL Slammer. What is interesting is that SQL slammer was actually the worst disaster I ran into, probably because it involved the most managers, and not a team. It got way too political. As you can see, DR for exchange sometimes only shows you the tip of the iceberg. I hope my sharing information to you all is helpful. Please tell me what you think, I am always open to critical review. Toddler -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Sunday, August 10, 2003 12:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disaster recovery scenario comments requested. Jan, Do you know if they have published a paper or some detail on this process? Naturally, I'm interested in what they are proposing. Currently, their full-fledged technical document is slated for March 2004, which, IMHO, is way too late. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson Sent: Sunday, August 10, 2003 10:56 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Disaster recovery scenario comments requested. Just as an aside here - MS of course displayed their VM server at tech ed - one nice idea was DR for Exchange 2003 - you would basically generate a new email server in minutes on a VM - users are then back online and you then begin to backfill their email from tape. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/