RE: [ActiveDir] Disaster Recovery

[joe]

Yeah absolutely. Right along with this is understanding how 
LONG it takes you to do it once you start which you get when you test and test 
often. That helps you decide at what point you need to have something fixed, 
start recovering, or realizing that you are now stomping on borrowed time that 
could be better used for recovery.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Tuesday, March 21, 2006 9:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Disaster 
Recovery

One additional comment that seems to have been missed, is that, like 
previously mentioned, you should carefully consider practicing your restores for 
the situations you've defined as warranting a disaster recovery. All of 
the other information about how to do it etc are great, but there's no 
substitute for doing it and making sure you have ALL of the components to put 
the environment back togehter. 

One fun example that illustrates this for me, should I forget for some 
strange reason, is a company that wanted to implement DR for a situation they 
were faced with. They never practiced and when it came time they drug out 
the other hardware, setup a hub for it (they didn't have a switch like in 
production - hint) and gathered the latest backup from the off-site storage 
facility (somebody's closet is my guess, but I digress). They put the DC back, 
then their email and everything seemed to work. Hooray, they were ready 
for business. Sure there were some issues along the way such as getting power, 
environmentals, network, hardware, etc. But through heroic efforts that 
was overcome and they managed to recover AD and Email. As they watched the 
counters, somebody asked, "how come there's no email coming in and why isn't 
anybody using it?" Answer? 1) Because nobody thought about WAN or ISP 
connectivity implications and 2) because the users had no equipment and no way 
to access this newly restored server. 

Moral? Practice well what you intend to do well and make sure your practice 
mimicks a real scenario so you can work out such kinks before it's critical. 


-ajm
On 3/21/06, joe 
[EMAIL PROTECTED] 
wrote: 

  
  One thing 
  you should try to shoot for is to be geographically disperse if possible. The 
  more critical AD is to you the more critical it is to have that in place 
  because cold restore of an entire forest is not something any but the 
  seriously demented AD Admins are looking to to do. Even if this is a simple 
  laptop running a DC that you allow to replicate once a week and then take home 
  it is better than nothing. Just be careful with physical security of that 
  machine. 
  
  Virtualization is definitely a possible answer but make sure as Hunter 
  indicated that you really understand the implications for rollback. 
  
  
  
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Amy 
  HunterSent: Tuesday, March 21, 2006 10:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Disaster Recovery
  
  
  Hello there,
  
  I have a question regarding Active Directory disaster recovery. I was 
  just curious as to what steps you all take to protect your forest.
  
  
  An example is I back up my System State nightly and these tapes go off to 
  a offsite location. If my building and computer suite was to burn down, I 
  would need to rebuild my forest. 
  
  In this scenario I am assuming it would be easier to have identical 
  hardware to carry out a restore, I know you can restore to alternate hardware 
  but I hear bad things about this.
  
  The other thought is to haveDC built using virtual server and start 
  this DC one per month to replicate the latest copy of AD, then shutting it 
  down, saving a copy of the VHD and sending to a offsite location,
  
  That way it's not hardware dependant and just need to do a metadata 
  cleanup
  
  what do you all do?
  
  amy 
  
  
  
  Yahoo! Cars NEW - sell your car and 
  browse thousands of new and used cars online search now 
  
  
  
  

RE: [ActiveDir] Disaster Recovery

[Ken Cornetet]

I do a backup of the C: drive and system state using 
NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and 
system state) using Legato Networker. Why the NTBACKUP? Just in 
case...

I've done a couple of hotsite test recoveries of our DCs 
(HP DL380G2) to various other HP server models, and even to Dells. I've never 
had a major problem doing this with server 2003 (windows 2000, on the other 
hand, seemed to always give me grief).

I have toyed with the idea of having a couple of DCs 
running on virtual servers. I'd create a perl script to nightly shut down the 
DCs, copy thevirtual diskfiles, then bring the DCs back up. I want 
to do this not so much for the hardware independence, but rather for the speed 
of recovery. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Disaster Recovery

Hello there,

I have a question regarding Active Directory disaster recovery. I was just 
curious as to what steps you all take to protect your forest.


An example is I back up my System State nightly and these tapes go off to a 
offsite location. If my building and computer suite was to burn down, I would 
need to rebuild my forest. 

In this scenario I am assuming it would be easier to have identical 
hardware to carry out a restore, I know you can restore to alternate hardware 
but I hear bad things about this.

The other thought is to haveDC built using virtual server and start 
this DC one per month to replicate the latest copy of AD, then shutting it down, 
saving a copy of the VHD and sending to a offsite location,

That way it's not hardware dependant and just need to do a metadata 
cleanup

what do you all do?

amy 



Yahoo! 
Cars NEW - sell your car and browse thousands of new 
and used cars online search 
now 

RE: [ActiveDir] Disaster Recovery

[Coleman, Hunter]

Using virtual disk file backups or images for AD disaster 
recovery has USN-rollback perils that have been discussed several times here. 
It's worth a visit to the archives to check those out before staking your 
disaster recovery abilities on this strategy.

On the other hand, using AD-aware backups in conjunction 
with virtual servers *does* greatly simplify the hardware issues during a 
restore, and may be worth considering for that benefit 
alone.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
CornetetSent: Tuesday, March 21, 2006 9:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Disaster 
Recovery

I do a backup of the C: drive and system state using 
NTBACKUP to a file on an alternate DC, then I back up the whole DC (files and 
system state) using Legato Networker. Why the NTBACKUP? Just in 
case...

I've done a couple of hotsite test recoveries of our DCs 
(HP DL380G2) to various other HP server models, and even to Dells. I've never 
had a major problem doing this with server 2003 (windows 2000, on the other 
hand, seemed to always give me grief).

I have toyed with the idea of having a couple of DCs 
running on virtual servers. I'd create a perl script to nightly shut down the 
DCs, copy thevirtual diskfiles, then bring the DCs back up. I want 
to do this not so much for the hardware independence, but rather for the speed 
of recovery. 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Disaster Recovery

Hello there,

I have a question regarding Active Directory disaster recovery. I was just 
curious as to what steps you all take to protect your forest.


An example is I back up my System State nightly and these tapes go off to a 
offsite location. If my building and computer suite was to burn down, I would 
need to rebuild my forest. 

In this scenario I am assuming it would be easier to have identical 
hardware to carry out a restore, I know you can restore to alternate hardware 
but I hear bad things about this.

The other thought is to haveDC built using virtual server and start 
this DC one per month to replicate the latest copy of AD, then shutting it down, 
saving a copy of the VHD and sending to a offsite location,

That way it's not hardware dependant and just need to do a metadata 
cleanup

what do you all do?

amy 



Yahoo! 
Cars NEW - sell your car and browse thousands of new 
and used cars online search 
now 

RE: [ActiveDir] Disaster Recovery

[joe]

One thing you should try to shoot for is to be 
geographically disperse if possible. The more critical AD is to you the more 
critical it is to have that in place because cold restore of an entire forest is 
not something any but the seriously demented AD Admins are looking to to do. 
Even if this is a simple laptop running a DC that you allow to replicate once a 
week and then take home it is better than nothing. Just be careful with physical 
security of that machine. 

Virtualization is definitely a possible answer but make 
sure as Hunter indicated that you really understand the implications for 
rollback. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Amy 
HunterSent: Tuesday, March 21, 2006 10:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster 
Recovery

Hello there,

I have a question regarding Active Directory disaster recovery. I was just 
curious as to what steps you all take to protect your forest.


An example is I back up my System State nightly and these tapes go off to a 
offsite location. If my building and computer suite was to burn down, I would 
need to rebuild my forest. 

In this scenario I am assuming it would be easier to have identical 
hardware to carry out a restore, I know you can restore to alternate hardware 
but I hear bad things about this.

The other thought is to haveDC built using virtual server and start 
this DC one per month to replicate the latest copy of AD, then shutting it down, 
saving a copy of the VHD and sending to a offsite location,

That way it's not hardware dependant and just need to do a metadata 
cleanup

what do you all do?

amy 



Yahoo! 
Cars NEW - sell your car and browse thousands of new 
and used cars online search 
now 

Re: [ActiveDir] Disaster Recovery

[Al Mulnick]

One additional comment that seems to have been missed, is that, like previously mentioned, you should carefully consider practicing your restores for the situations you've defined as warranting a disaster recovery. All of the other information about how to do it etc are great, but there's no substitute for doing it and making sure you have ALL of the components to put the environment back togehter. 


One fun example that illustrates this for me, should I forget for some strange reason, is a company that wanted to implement DR for a situation they were faced with. They never practiced and when it came time they drug out the other hardware, setup a hub for it (they didn't have a switch like in production - hint) and gathered the latest backup from the off-site storage facility (somebody's closet is my guess, but I digress). They put the DC back, then their email and everything seemed to work. Hooray, they were ready for business. Sure there were some issues along the way such as getting power, environmentals, network, hardware, etc. But through heroic efforts that was overcome and they managed to recover AD and Email. As they watched the counters, somebody asked, how come there's no email coming in and why isn't anybody using it? Answer? 1) Because nobody thought about WAN or ISP connectivity implications and 2) because the users had no equipment and no way to access this newly restored server. 


Moral? Practice well what you intend to do well and make sure your practice mimicks a real scenario so you can work out such kinks before it's critical. 

-ajm
On 3/21/06, joe [EMAIL PROTECTED] wrote:


One thing you should try to shoot for is to be geographically disperse if possible. The more critical AD is to you the more critical it is to have that in place because cold restore of an entire forest is not something any but the seriously demented AD Admins are looking to to do. Even if this is a simple laptop running a DC that you allow to replicate once a week and then take home it is better than nothing. Just be careful with physical security of that machine. 


Virtualization is definitely a possible answer but make sure as Hunter indicated that you really understand the implications for rollback. 




--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Amy HunterSent: Tuesday, March 21, 2006 10:34 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Disaster Recovery


Hello there,

I have a question regarding Active Directory disaster recovery. I was just curious as to what steps you all take to protect your forest.


An example is I back up my System State nightly and these tapes go off to a offsite location. If my building and computer suite was to burn down, I would need to rebuild my forest. 

In this scenario I am assuming it would be easier to have identical hardware to carry out a restore, I know you can restore to alternate hardware but I hear bad things about this.

The other thought is to haveDC built using virtual server and start this DC one per month to replicate the latest copy of AD, then shutting it down, saving a copy of the VHD and sending to a offsite location,


That way it's not hardware dependant and just need to do a metadata cleanup

what do you all do?

amy 




Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online 
search now 

RE: [ActiveDir] Disaster Recovery Training

[Peter Johnson]

Just been to their expanding directory boundaries seminar and can
confirm that she does indeed have legs :) :) :) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 25 July 2005 20:40
To: ActiveDir.org
Subject: Re: [ActiveDir] Disaster Recovery Training

John and Sally are two of the best communicators in the business, I am
looking forward to pre-conference presentation at Novembers IT Forum.

I wonder if this year we will confirm if Sally has legs as in all the
presentations, I have ever been to all I see is her head and torso
behind her demo boxes.

As for the DR, I will explore this option.

Many thanks,

Mark


-Original Message-
From: Grillenmeier, Guido [EMAIL PROTECTED]
Date: Mon, 25 Jul 2005 17:00:28 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disaster Recovery Training

thanks for the advertising Jorge - and I didn't even promise you any
goodies :-)

Mark, you might also want to have a look at John Craddock and Sally
Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
http://www.kimberry.co.uk/dotnetlectures/addr.aspx 

John and Sally are well known from various MS events (TechEd, ITforum
etc) and offer these courses to everyone. While I'm sure they're not
cheap, they're definitely worth the money - edjucational and
entertaining at the same time.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Montag, 25. Juli 2005 15:34
To: ActiveDir@mail.activedir.org; ActiveDir.org
Subject: RE: [ActiveDir] Disaster Recovery Training

also take a look at:
Active Directory Disaster Recovery 
http://www.netpro.com/events/adrecovery/index.cfm 
NetPro and HP invite you to join Active Directory experts Gil
Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of
Enterprise Microsoft Services at Hewlett Packard, as they discuss
real-life disaster scenarios and share tips and techniques to help
ensure that your business stays profitable in the midst of directory
disruptions. 
Learn first-hand how to recognize and prevent possible disaster
scenarios before they even occur. Discover new tools and techniques that
help recover deleted objects while keeping your users online. Master
such difficult tasks as group membership, security descriptor. and
password recovery. And learn how to prevent disasters through proactive
directory health management. Plus, Gil and Guido will be taking live
questions from audience members to help you solve your own personal
directory issues.
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 7/25/2005 2:34 PM
To: ActiveDir.org
Subject: [ActiveDir] Disaster Recovery Training



All, 

Does anyone know of a training provider that provides dedicated Active
Directory\Exchange Disaster Recovery Training, I know Microsoft do, but
these are closed courses for corporate customers who have a premier
support contract.

Regards 

Mark 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Training

[Ruston, Neil]

Whilst not independent, I know Quest offer something along these lines.

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 25 July 2005 13:35
To: ActiveDir.org
Subject: [ActiveDir] Disaster Recovery Training


All,

Does anyone know of a training provider that provides dedicated Active 
Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these 
are closed courses for corporate customers who have a premier support contract.

Regards

Mark


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Training

[Almeida Pinto, Jorge de]

also take a look at:
Active Directory Disaster Recovery 
http://www.netpro.com/events/adrecovery/index.cfm 
NetPro and HP invite you to join Active Directory experts Gil Kirkpatrick, CTO 
at NetPro, and Guido Grillenmeier, Senior Consultant of Enterprise Microsoft 
Services at Hewlett Packard, as they discuss real-life disaster scenarios and 
share tips and techniques to help ensure that your business stays profitable in 
the midst of directory disruptions. 
Learn first-hand how to recognize and prevent possible disaster scenarios 
before they even occur. Discover new tools and techniques that help recover 
deleted objects while keeping your users online. Master such difficult tasks as 
group membership, security descriptor. and password recovery. And learn how to 
prevent disasters through proactive directory health management. Plus, Gil and 
Guido will be taking live questions from audience members to help you solve 
your own personal directory issues.
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 7/25/2005 2:34 PM
To: ActiveDir.org
Subject: [ActiveDir] Disaster Recovery Training



All, 

Does anyone know of a training provider that provides dedicated Active 
Directory\Exchange Disaster Recovery Training, I know Microsoft do, but these 
are closed courses for corporate customers who have a premier support contract.

Regards 

Mark 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Training

[Grillenmeier, Guido]

thanks for the advertising Jorge - and I didn't even promise you any
goodies :-)

Mark, you might also want to have a look at John Craddock and Sally
Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
http://www.kimberry.co.uk/dotnetlectures/addr.aspx 

John and Sally are well known from various MS events (TechEd, ITforum
etc) and offer these courses to everyone. While I'm sure they're not
cheap, they're definitely worth the money - edjucational and
entertaining at the same time.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Montag, 25. Juli 2005 15:34
To: ActiveDir@mail.activedir.org; ActiveDir.org
Subject: RE: [ActiveDir] Disaster Recovery Training

also take a look at:
Active Directory Disaster Recovery 
http://www.netpro.com/events/adrecovery/index.cfm 
NetPro and HP invite you to join Active Directory experts Gil
Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of
Enterprise Microsoft Services at Hewlett Packard, as they discuss
real-life disaster scenarios and share tips and techniques to help
ensure that your business stays profitable in the midst of directory
disruptions. 
Learn first-hand how to recognize and prevent possible disaster
scenarios before they even occur. Discover new tools and techniques that
help recover deleted objects while keeping your users online. Master
such difficult tasks as group membership, security descriptor. and
password recovery. And learn how to prevent disasters through proactive
directory health management. Plus, Gil and Guido will be taking live
questions from audience members to help you solve your own personal
directory issues.
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 7/25/2005 2:34 PM
To: ActiveDir.org
Subject: [ActiveDir] Disaster Recovery Training



All, 

Does anyone know of a training provider that provides dedicated Active
Directory\Exchange Disaster Recovery Training, I know Microsoft do, but
these are closed courses for corporate customers who have a premier
support contract.

Regards 

Mark 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Disaster Recovery Training

[Mark Parris]

John and Sally are two of the best communicators in the business, I am looking 
forward to pre-conference presentation at Novembers IT Forum.

I wonder if this year we will confirm if Sally has legs as in all the 
presentations, I have ever been to all I see is her head and torso behind her 
demo boxes.

As for the DR, I will explore this option.

Many thanks,

Mark


-Original Message-
From: Grillenmeier, Guido [EMAIL PROTECTED]
Date: Mon, 25 Jul 2005 17:00:28 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disaster Recovery Training

thanks for the advertising Jorge - and I didn't even promise you any
goodies :-)

Mark, you might also want to have a look at John Craddock and Sally
Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
http://www.kimberry.co.uk/dotnetlectures/addr.aspx 

John and Sally are well known from various MS events (TechEd, ITforum
etc) and offer these courses to everyone. While I'm sure they're not
cheap, they're definitely worth the money - edjucational and
entertaining at the same time.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Montag, 25. Juli 2005 15:34
To: ActiveDir@mail.activedir.org; ActiveDir.org
Subject: RE: [ActiveDir] Disaster Recovery Training

also take a look at:
Active Directory Disaster Recovery 
http://www.netpro.com/events/adrecovery/index.cfm 
NetPro and HP invite you to join Active Directory experts Gil
Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of
Enterprise Microsoft Services at Hewlett Packard, as they discuss
real-life disaster scenarios and share tips and techniques to help
ensure that your business stays profitable in the midst of directory
disruptions. 
Learn first-hand how to recognize and prevent possible disaster
scenarios before they even occur. Discover new tools and techniques that
help recover deleted objects while keeping your users online. Master
such difficult tasks as group membership, security descriptor. and
password recovery. And learn how to prevent disasters through proactive
directory health management. Plus, Gil and Guido will be taking live
questions from audience members to help you solve your own personal
directory issues.
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Mon 7/25/2005 2:34 PM
To: ActiveDir.org
Subject: [ActiveDir] Disaster Recovery Training



All, 

Does anyone know of a training provider that provides dedicated Active
Directory\Exchange Disaster Recovery Training, I know Microsoft do, but
these are closed courses for corporate customers who have a premier
support contract.

Regards 

Mark 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Disaster Recovery Training

[Phil Renouf]

The MS courses you mention are often available to Partners as well
(not just customers with premier contracts) so you might want to check
into that if you are working for an MS Partner.

That NetPro webinar looks good though, I'd definitely attend that.

Phil

On 7/25/05, Mark Parris [EMAIL PROTECTED] wrote:
 John and Sally are two of the best communicators in the business, I am 
 looking forward to pre-conference presentation at Novembers IT Forum.
 
 I wonder if this year we will confirm if Sally has legs as in all the 
 presentations, I have ever been to all I see is her head and torso behind her 
 demo boxes.
 
 As for the DR, I will explore this option.
 
 Many thanks,
 
 Mark
 
 
 -Original Message-
 From: Grillenmeier, Guido [EMAIL PROTECTED]
 Date: Mon, 25 Jul 2005 17:00:28
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Disaster Recovery Training
 
 thanks for the advertising Jorge - and I didn't even promise you any
 goodies :-)
 
 Mark, you might also want to have a look at John Craddock and Sally
 Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
 http://www.kimberry.co.uk/dotnetlectures/addr.aspx
 
 John and Sally are well known from various MS events (TechEd, ITforum
 etc) and offer these courses to everyone. While I'm sure they're not
 cheap, they're definitely worth the money - edjucational and
 entertaining at the same time.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
 Jorge de
 Sent: Montag, 25. Juli 2005 15:34
 To: ActiveDir@mail.activedir.org; ActiveDir.org
 Subject: RE: [ActiveDir] Disaster Recovery Training
 
 also take a look at:
 Active Directory Disaster Recovery
 http://www.netpro.com/events/adrecovery/index.cfm
 NetPro and HP invite you to join Active Directory experts Gil
 Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of
 Enterprise Microsoft Services at Hewlett Packard, as they discuss
 real-life disaster scenarios and share tips and techniques to help
 ensure that your business stays profitable in the midst of directory
 disruptions.
 Learn first-hand how to recognize and prevent possible disaster
 scenarios before they even occur. Discover new tools and techniques that
 help recover deleted objects while keeping your users online. Master
 such difficult tasks as group membership, security descriptor. and
 password recovery. And learn how to prevent disasters through proactive
 directory health management. Plus, Gil and Guido will be taking live
 questions from audience members to help you solve your own personal
 directory issues.
 
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Mark Parris
 Sent: Mon 7/25/2005 2:34 PM
 To: ActiveDir.org
 Subject: [ActiveDir] Disaster Recovery Training
 
 
 
 All,
 
 Does anyone know of a training provider that provides dedicated Active
 Directory\Exchange Disaster Recovery Training, I know Microsoft do, but
 these are closed courses for corporate customers who have a premier
 support contract.
 
 Regards
 
 Mark
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 This e-mail and any attachment is for authorised use by the intended
 recipient(s) only. It may contain proprietary material, confidential
 information and/or be subject to legal privilege. It should not be
 copied, disclosed to, retained or used by, any other party. If you are
 not an intended recipient then please promptly delete this e-mail and
 any attachment and all copies and inform the sender. Thank you.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Training

[Mark Parris]

I work independently, and where I used to work at a large bank, I am now
consulting for multiple organisations, so I have neither access to a premier
support contract or any Microsoft partner resources.

So I have to scavenge courses where I can; I am always looking for the best
deals that money can buy.

Mark



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: 25 July 2005 20:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Disaster Recovery Training

The MS courses you mention are often available to Partners as well
(not just customers with premier contracts) so you might want to check
into that if you are working for an MS Partner.

That NetPro webinar looks good though, I'd definitely attend that.

Phil

On 7/25/05, Mark Parris [EMAIL PROTECTED] wrote:
 John and Sally are two of the best communicators in the business, I am
looking forward to pre-conference presentation at Novembers IT Forum.
 
 I wonder if this year we will confirm if Sally has legs as in all the
presentations, I have ever been to all I see is her head and torso behind
her demo boxes.
 
 As for the DR, I will explore this option.
 
 Many thanks,
 
 Mark
 
 
 -Original Message-
 From: Grillenmeier, Guido [EMAIL PROTECTED]
 Date: Mon, 25 Jul 2005 17:00:28
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Disaster Recovery Training
 
 thanks for the advertising Jorge - and I didn't even promise you any
 goodies :-)
 
 Mark, you might also want to have a look at John Craddock and Sally
 Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
 http://www.kimberry.co.uk/dotnetlectures/addr.aspx
 
 John and Sally are well known from various MS events (TechEd, ITforum
 etc) and offer these courses to everyone. While I'm sure they're not
 cheap, they're definitely worth the money - edjucational and
 entertaining at the same time.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
 Jorge de
 Sent: Montag, 25. Juli 2005 15:34
 To: ActiveDir@mail.activedir.org; ActiveDir.org
 Subject: RE: [ActiveDir] Disaster Recovery Training
 
 also take a look at:
 Active Directory Disaster Recovery
 http://www.netpro.com/events/adrecovery/index.cfm
 NetPro and HP invite you to join Active Directory experts Gil
 Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant of
 Enterprise Microsoft Services at Hewlett Packard, as they discuss
 real-life disaster scenarios and share tips and techniques to help
 ensure that your business stays profitable in the midst of directory
 disruptions.
 Learn first-hand how to recognize and prevent possible disaster
 scenarios before they even occur. Discover new tools and techniques that
 help recover deleted objects while keeping your users online. Master
 such difficult tasks as group membership, security descriptor. and
 password recovery. And learn how to prevent disasters through proactive
 directory health management. Plus, Gil and Guido will be taking live
 questions from audience members to help you solve your own personal
 directory issues.
 
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Mark Parris
 Sent: Mon 7/25/2005 2:34 PM
 To: ActiveDir.org
 Subject: [ActiveDir] Disaster Recovery Training
 
 
 
 All,
 
 Does anyone know of a training provider that provides dedicated Active
 Directory\Exchange Disaster Recovery Training, I know Microsoft do, but
 these are closed courses for corporate customers who have a premier
 support contract.
 
 Regards
 
 Mark
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 This e-mail and any attachment is for authorised use by the intended
 recipient(s) only. It may contain proprietary material, confidential
 information and/or be subject to legal privilege. It should not be
 copied, disclosed to, retained or used by, any other party. If you are
 not an intended recipient then please promptly delete this e-mail and
 any attachment and all copies and inform the sender. Thank you.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org

RE: [ActiveDir] Disaster Recovery Training

[Dean Wells]

Hi Mark,

MSEtechnology offer's a number of AD classes, some of which were formerly MS
internal-only and most of which incorporate extensive DR content.  I'm
uncertain as to your requirements or your preferred delivery logistics.
Feel free to contact me off-list if you'd like further information, our web
site provides an outline of one such class.

Regards.

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Monday, July 25, 2005 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disaster Recovery Training

I work independently, and where I used to work at a large bank, I am now
consulting for multiple organisations, so I have neither access to a premier
support contract or any Microsoft partner resources.

So I have to scavenge courses where I can; I am always looking for the best
deals that money can buy.

Mark



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: 25 July 2005 20:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Disaster Recovery Training

The MS courses you mention are often available to Partners as well (not just
customers with premier contracts) so you might want to check into that if
you are working for an MS Partner.

That NetPro webinar looks good though, I'd definitely attend that.

Phil

On 7/25/05, Mark Parris [EMAIL PROTECTED] wrote:
 John and Sally are two of the best communicators in the business, I am
looking forward to pre-conference presentation at Novembers IT Forum.
 
 I wonder if this year we will confirm if Sally has legs as in all the
presentations, I have ever been to all I see is her head and torso behind
her demo boxes.
 
 As for the DR, I will explore this option.
 
 Many thanks,
 
 Mark
 
 
 -Original Message-
 From: Grillenmeier, Guido [EMAIL PROTECTED]
 Date: Mon, 25 Jul 2005 17:00:28
 To:ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Disaster Recovery Training
 
 thanks for the advertising Jorge - and I didn't even promise you any 
 goodies :-)
 
 Mark, you might also want to have a look at John Craddock and Sally 
 Storey's offering for a 1 day 400-level AD Disaster Recovery seminar:
 http://www.kimberry.co.uk/dotnetlectures/addr.aspx
 
 John and Sally are well known from various MS events (TechEd, ITforum
 etc) and offer these courses to everyone. While I'm sure they're not 
 cheap, they're definitely worth the money - edjucational and 
 entertaining at the same time.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
 Pinto, Jorge de
 Sent: Montag, 25. Juli 2005 15:34
 To: ActiveDir@mail.activedir.org; ActiveDir.org
 Subject: RE: [ActiveDir] Disaster Recovery Training
 
 also take a look at:
 Active Directory Disaster Recovery
 http://www.netpro.com/events/adrecovery/index.cfm
 NetPro and HP invite you to join Active Directory experts Gil 
 Kirkpatrick, CTO at NetPro, and Guido Grillenmeier, Senior Consultant 
 of Enterprise Microsoft Services at Hewlett Packard, as they discuss 
 real-life disaster scenarios and share tips and techniques to help 
 ensure that your business stays profitable in the midst of directory 
 disruptions.
 Learn first-hand how to recognize and prevent possible disaster 
 scenarios before they even occur. Discover new tools and techniques 
 that help recover deleted objects while keeping your users online. 
 Master such difficult tasks as group membership, security descriptor. 
 and password recovery. And learn how to prevent disasters through 
 proactive directory health management. Plus, Gil and Guido will be 
 taking live questions from audience members to help you solve your own 
 personal directory issues.
 
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Mark Parris
 Sent: Mon 7/25/2005 2:34 PM
 To: ActiveDir.org
 Subject: [ActiveDir] Disaster Recovery Training
 
 
 
 All,
 
 Does anyone know of a training provider that provides dedicated Active 
 Directory\Exchange Disaster Recovery Training, I know Microsoft do, 
 but these are closed courses for corporate customers who have a 
 premier support contract.
 
 Regards
 
 Mark
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 This e-mail and any attachment is for authorised use by the intended
 recipient(s) only. It may contain proprietary material, confidential 
 information and/or be subject to legal privilege. It should not be 
 copied, disclosed to, retained or used by, any other party. If you are 
 not an intended recipient then please promptly delete this e-mail and 
 any attachment and all copies and inform the sender. Thank you.
 List info   : http://www.activedir.org/List.aspx
 List FAQ

RE: [ActiveDir] disaster recovery

[joe]

Title: [ActiveDir] disaster recovery



Excellent post.

I just wanted to jump in and reemphasize that 
point.

Restoring a single domain of a forest in an isolated 
environment and expecting it to work is unrealistic. I agree with Guido in that 
you never should have been given admin rights into a domain of someone else's 
forest. You should have had OU privileges or just had your own forest entirely. 



-
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Thursday, March 25, 2004 
2:51 PMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] disaster recovery

Ad is supposed to be a enterprise 
directory where most enterprises span the globe and have multiple sister corps 
or corps they've merged with or aquired. these corps have thier own domains and 
IT depts.

That's not how AD is supposed to be - that's merely how 
you'd like to use it. Not necessarily the same. I agree that some 
companies may implement it this way especially in the early days of AD, but not 
after they understood that not the domain, but the forest is the security 
boundary. 

If you have no good working relationship with your mother 
corp and they're not really too fond of you either, they should have never 
offered you your own domain. You would have been a perfect candidate for a 
separate forest. However, if they still wanted to fully integrate you into their 
forest without trusting you to perform service-level operations (i.e. task that 
require domain admin privileges), they would have merely required to grant you 
management of one or a few OUs.

If you like it or not, recovery of AD - in case of the 
disaster you describe, or in other disasters that go more towards deletion of 
objects - is an forest level task that usually requires enterprise admin 
privileges. I am not saying, that I don't think it would be nice if this 
wasn't the case, but once you learn to treat a domain as an integral part of a 
forest that should not be managed by a separate team of administrators, it 
doesn't make a difference.

/Guido


From: Kern, Tom 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Donnerstag, 25. Mrz 2004 18:56To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

going to AD was something decided by the higher ups to merge my corp and 
our sister corp into a smealess whole. The sister corp already had AD in place 
and they own the root. our IT depts. don't exactly communicate or relate to each 
other very well :)
i'm sure its like that in alot of places. before comming here, I was in a 
Netware 6.0 enviorment and feel that directory is much more mature in terms of 
configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go 
away to the dr site and want to recreate most of our infrastructure from back 
up, etc, its fursttrating to have to go to our sister corp IT dept and ask them 
for the Domain admin or enterpris admin password or a copy of thier root role 
holding master dc on a laptop or vmware just to practise recovery of our domain 
and exchange2k.
it seems MS made it so you can't recover a child domain without 
connectivity to the root. that kinda stinks.
i can understand losing some functionality but still be up and running. 
however to make it impossible to get up at all without the root fsmo dc is I 
think something that needs to be addressed.
in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and 
want to recover them OR you lost the entire forest. they really don't address 
losing a child domain. 
Ad is supposed to be a enterprise directory where most enterprises span the 
globe and have multiple sister corps or corps they've merged with or aquired. 
these corps have thier own domains and IT depts. If one corp goes down, in MS's 
implementation, this corp has to get in touch with the IT dept of the root, be 
allowed high access to the forest OR have someone from that other IT dept free 
enough to come down for security reasons and log in himself as enterprise admin. 
also some physical connectivity is implied...
All in the middel of a disaster OR just to test and practice for said 
disaster.
thats asking for alot of any large company.
MS should know how unrealistic this is more than anyone.

my pointless two cents.
thanks for reading and replying before

  -Original Message- From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED] Sent: Thu 3/25/2004 10:20 AM 
  To: '[EMAIL PROTECTED]' Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  Just out of curiousity, why did you deploy a forest root 
  structure? Why didn't you go with a single domain 
  structure?
  
  Otherwise, Who manages the schema without the root? 
  Who manages the domain naming master in your environment (both

RE: [ActiveDir] disaster recovery

[Kern, Tom]

Guido and Joe,
 
First of all, thank you for all your advice and help.
 
You guys are absolutely right, we should have never gotten a domain if they didn't 
trust us with Enterprise admin rights over the forest. I assume they can't shake the 
Win NT view of domains yet.
However this was a mangement issue and decsion. I just inherited all the problems and 
fall out of said issue. I suppose it was a technological solution to a political 
problem.
 Now i was just trying to figure out of there was any hack to restore a child domain 
without root connectivity.
In a real disaster, I'm sure common sense would prevail over politics and we would all 
work together, kinda like i imagined IT to be when i first got into it. Innocent boy 
that i was
 
In the interim I thought there might be some way to test a recovery without the root.
Some reg key or dns record to copy over...
 
I guess not.
 
Than you both again for your help.

-Original Message- 
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 5:33 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Excellent post.
 
I just wanted to jump in and reemphasize that point.
 
Restoring a single domain of a forest in an isolated environment and expecting 
it to work is unrealistic. I agree with Guido in that you never should have been given 
admin rights into a domain of someone else's forest. You should have had OU privileges 
or just had your own forest entirely. 
 
 
-
http://www.joeware.net http://www.joeware.net/(download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Thursday, March 25, 2004 2:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


Ad is supposed to be a enterprise directory where most enterprises span the 
globe and have multiple sister corps or corps they've merged with or aquired. these 
corps have thier own domains and IT depts.
 
That's not how AD is supposed to be - that's merely how you'd like to use it.  
Not necessarily the same.  I agree that some companies may implement it this way 
especially in the early days of AD, but not after they understood that not the domain, 
but the forest is the security boundary.  
 
If you have no good working relationship with your mother corp and they're not 
really too fond of you either, they should have never offered you your own domain. You 
would have been a perfect candidate for a separate forest. However, if they still 
wanted to fully integrate you into their forest without trusting you to perform 
service-level operations (i.e. task that require domain admin privileges), they would 
have merely required to grant you management of one or a few OUs.
 
If you like it or not, recovery of AD - in case of the disaster you describe, 
or in other disasters that go more towards deletion of objects - is an forest level 
task that usually requires enterprise admin privileges.  I am not saying, that I don't 
think it would be nice if this wasn't the case, but once you learn to treat a domain 
as an integral part of a forest that should not be managed by a separate team of 
administrators, it doesn't make a difference.
 
/Guido

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Donnerstag, 25. Mrz 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


going to AD was something decided by the higher ups to merge my corp and our 
sister corp into a smealess whole. The sister corp already had AD in place and they 
own the root. our IT depts. don't exactly communicate or relate to each other very 
well :)
i'm sure its like that in alot of places. before comming here, I was in a 
Netware 6.0 enviorment and feel that directory is much more mature in terms of 
configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go 
away to the dr site and want to recreate most of our infrastructure from back up, etc, 
its fursttrating to have to go to our sister corp IT dept and ask them for the Domain 
admin or enterpris admin password or a copy of thier root role holding master dc on a 
laptop or vmware just to practise recovery of our domain and exchange2k.
it seems MS made it so you can't recover a child domain without connectivity 
to the root. that kinda stinks.
i can understand losing some functionality but still be up and running. 
however

RE: [ActiveDir] disaster recovery

[joe]

Unfortunately no, no way to test in an isolated way like that without
bringing at least the root with you and probably any other domains.
 
I guess you need to find out how important this is. If it is truly critical
to know this will work in a disaster you need to do one of two things.
 
1. Get the folks with the Enterprise keys involved and do overall testing of
the whole solution.
2. Build your own forest and migrate to it and then set up trusts to the
other forest/domains that are needed.
 
I'm thinking honestly that the second answer is probably the right one
UNLESS the company is trying to collapse to a single IT group in which the
first option would be feasible. 
 
  joe
 
-
http://www.joeware.net http://www.joeware.net/(download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Saturday, March 27, 2004 7:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


Guido and Joe,
 
First of all, thank you for all your advice and help.
 
You guys are absolutely right, we should have never gotten a domain if they
didn't trust us with Enterprise admin rights over the forest. I assume they
can't shake the Win NT view of domains yet.
However this was a mangement issue and decsion. I just inherited all the
problems and fall out of said issue. I suppose it was a technological
solution to a political problem.
 Now i was just trying to figure out of there was any hack to restore a
child domain without root connectivity.
In a real disaster, I'm sure common sense would prevail over politics and we
would all work together, kinda like i imagined IT to be when i first got
into it. Innocent boy that i was
 
In the interim I thought there might be some way to test a recovery without
the root.
Some reg key or dns record to copy over...
 
I guess not.
 
Than you both again for your help.

-Original Message- 
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Sat 3/27/2004 5:33 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Excellent post.
 
I just wanted to jump in and reemphasize that point.
 
Restoring a single domain of a forest in an isolated environment and
expecting it to work is unrealistic. I agree with Guido in that you never
should have been given admin rights into a domain of someone else's forest.
You should have had OU privileges or just had your own forest entirely. 
 
 
-
http://www.joeware.net http://www.joeware.net/(download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Thursday, March 25, 2004 2:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


Ad is supposed to be a enterprise directory where most enterprises span
the globe and have multiple sister corps or corps they've merged with or
aquired. these corps have thier own domains and IT depts.
 
That's not how AD is supposed to be - that's merely how you'd like to use
it.  Not necessarily the same.  I agree that some companies may implement it
this way especially in the early days of AD, but not after they understood
that not the domain, but the forest is the security boundary.  
 
If you have no good working relationship with your mother corp and they're
not really too fond of you either, they should have never offered you your
own domain. You would have been a perfect candidate for a separate forest.
However, if they still wanted to fully integrate you into their forest
without trusting you to perform service-level operations (i.e. task that
require domain admin privileges), they would have merely required to grant
you management of one or a few OUs.
 
If you like it or not, recovery of AD - in case of the disaster you
describe, or in other disasters that go more towards deletion of objects -
is an forest level task that usually requires enterprise admin privileges.
I am not saying, that I don't think it would be nice if this wasn't the
case, but once you learn to treat a domain as an integral part of a forest
that should not be managed by a separate team of administrators, it doesn't
make a difference.
 
/Guido

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] On Behalf Of
Kern, Tom
Sent: Donnerstag, 25. Mrz 2004 18:56
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


going to AD was something decided by the higher ups to merge my corp and our
sister corp into a smealess whole. The sister corp already had AD in place
and they own the root. our IT depts. don't exactly communicate or relate to
each other very well :)
i'm sure its like that in alot of places. before comming here, I was in a
Netware 6.0 enviorment and feel that directory is much more mature in terms
of configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS

RE: [ActiveDir] disaster recovery

[Salandra, Justin A.]

If you don't have the forest root DNS zone then you are missing the _msdcs zone which 
is needed for replication to occur.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom
Sent: Wednesday, March 24, 2004 1:35 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] disaster recovery

I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, 
seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with 
adsiedit and all dns records as well.
then at the DR site, i set up new servers with the same names as the old one's, ran 
dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a 
replication.
also, they fail a dcdiag because the guid dns name is not present and the server 
fails a directory request
Also the srv records for kerberos and kpasswd do not appear in dns for my domain.
The test laptop had an AD intergrated dns zone pulled directly from my real network. 
However, it just has the zone for my domain, not the forest root.
do i need this record as well to promote DC's. I'm not connected to the forest anyway, 
but should i have the forest root records too.
what am i doing wrong?
thanks
.+wYP.+j
joryIV+v*
~mry?+-E
mry?+-}brzm 
Vry-4ibb

RE: [ActiveDir] disaster recovery

[Mulnick, Al]

Title: [ActiveDir] disaster recovery



Just out of curiousity, why did you deploy a forest root 
structure? Why didn't you go with a single domain 
structure?

Otherwise, Who manages the schema without the root? 
Who manages the domain naming master in your environment (both are at the root, 
right?) Who handles your time synch? Who holds the Enterprise 
Administrator permissions? 

from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx

"Important: Backup data from a DC can 
only be used to restore that DC. You cannot use a backup of one DC to restore 
another. To have your environment completely backed up, you would need to have a 
backup of every domain controller. This should be kept in mind while developing 
your backup strategy. The minimum requirement should be to backup all the OM 
role holders and GCs. Also the first domain controller in the root domain should 
always be backed up."

"Note: 
Because this procedure requires modifying the configuration naming context, it 
requires Enterprise Administrator permissions."



Switching to something 
that works for you is certainly an understandable path to take but only if you 
understand that product better AND it solves your issues. IT is not about 
technology for technology sake it's about solving your business issues. If 
you need something else to make that happen, I'd be the first to tell you to go 
do it. 

This thread comes across as sticker shock as you go to 
do this. This is also why you want to practice thisstuff all the 
time; that way you are not surprised at 0200 when everything is 
down.

Al


From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 5:01 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

i don't need the schema or domain naming roles to restore my domain. i have 
all the other roles. 
yet it still has issues with finding a gc or replicating within a 
domain.
why?

this is a fundemental design flaw of AD. It boggles the mind. If in a real 
disaster or even a test, MS expects you to have connectivity to your root 
domain wherever it may be(on the other side of the world) AND access to that 
domains Admin passwords or accounts OR enterprise admin just to get up and 
running, then they are clearly not living in this world.
AD was meant for the enterprise where a corp could have offices and domains 
all over the world. if in the event of disaster, we have to worry about isdn or 
T1 lines to the root and overcome all the politics of diff IT depts and security 
to beg for the enterprise password(even just for a simple test) JUST to get 
functional(not add or delete domains or modify the schema), then i'm ready to 
ditch AD for NDS or something more realistic.
what other reason could I have to connect to the root? what other secrets 
does it hold aside from the 2 roles?
does anyone know?
why doesn't MS tell you these things in their DR documentation? is it so 
obivious?
why is connectivity to the root never mentioned as key?
am i the idiot?
i'm willing to accept that, but what else does the root dc hold in terms of 
AD functionality?
thank you for all your help so far.

  -Original Message- From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 4:28 PM 
  To: '[EMAIL PROTECTED]' Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  No, you need the root domain as it holds some of the 
  roles etc.
  
  In order for this to work, you need to restore the root 
  domain as well. I've found that doing this with a virtual server is 
  sometimes easier but that just saves on hardware 
  requirements.
  
  
  Al
  
  
  From: Kern, Tom [mailto:[EMAIL PROTECTED] 
  Sent: Wednesday, March 24, 2004 3:23 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
  recovery
  
  yes. 
  a quick question- can one restore an entire child domain without 
  connectivity to the root domain?
  
-Original Message- From: Anderson 
Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 
3/24/2004 2:58 PM To: [EMAIL PROTECTED] Cc: 
Subject: RE: [ActiveDir] disaster recovery
You Zones is setting for Dynamic Updates = 
YES???




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: quarta-feira, 24 de maro de 2004 16:47To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i 
have it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my 
test DC also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the 
root. is this normal?
thanks for your reply

  -Original Message- From: An

RE: [ActiveDir] disaster recovery

[Kern, Tom]

going to AD was something decided by the higher ups to merge my corp and our sister 
corp into a smealess whole. The sister corp already had AD in place and they own the 
root. our IT depts. don't exactly communicate or relate to each other very well :)
i'm sure its like that in alot of places. before comming here, I was in a Netware 6.0 
enviorment and feel that directory is much more mature in terms of configurabilty and 
satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go away to the 
dr site and want to recreate most of our infrastructure from back up, etc, its 
fursttrating to have to go to our sister corp IT dept and ask them for the Domain 
admin or enterpris admin password or a copy of thier root role holding master dc on a 
laptop or vmware just to practise recovery of our domain and exchange2k.
it seems MS made it so you can't recover a child domain without connectivity to the 
root. that kinda stinks.
i can understand losing some functionality but still be up and running. however to 
make it impossible to get up at all without the root fsmo dc is I think something that 
needs to be addressed.
in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and want to 
recover them OR you lost the entire forest. they really don't address losing a child 
domain. 
Ad is supposed to be a enterprise directory where most enterprises span the globe and 
have multiple sister corps or corps they've merged with or aquired. these corps have 
thier own domains and IT depts. If one corp goes down, in MS's implementation, this 
corp has to get in touch with the IT dept of the root, be allowed high access to the 
forest OR have someone from that other IT dept free enough to come down for security 
reasons and log in himself as enterprise admin. also some physical connectivity is 
implied...
All in the middel of a disaster OR just to  test and practice for said disaster.
thats asking for alot of any large company.
MS should know how unrealistic this is more than anyone.
 
my pointless two cents.
thanks for reading and replying before

-Original Message- 
From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Thu 3/25/2004 10:20 AM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Just out of curiousity, why did you deploy a forest root structure?  Why 
didn't you go with a single domain structure?
 
Otherwise, Who manages the schema without the root?  Who manages the domain 
naming master in your environment (both are at the root, right?)  Who handles your 
time synch? Who holds the Enterprise Administrator permissions? 
 
from: 
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx
 
Important: Backup data from a DC can only be used to restore that DC. You 
cannot use a backup of one DC to restore another. To have your environment completely 
backed up, you would need to have a backup of every domain controller. This should be 
kept in mind while developing your backup strategy. The minimum requirement should be 
to backup all the OM role holders and GCs. Also the first domain controller in the 
root domain should always be backed up.
 
Note: Because this procedure requires modifying the configuration naming 
context, it requires Enterprise Administrator permissions.
 
 
 
Switching to something that works for you is certainly an understandable path 
to take but only if you understand that product better AND it solves your issues.  IT 
is not about technology for technology sake it's about solving your business issues.  
If you need something else to make that happen, I'd be the first to tell you to go do 
it. 
 
This thread comes across as sticker shock as you go to do this.  This is also 
why you want to practice this stuff all the time; that way you are not surprised at 
0200 when everything is down.
 
 Al

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 5:01 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i don't need the schema or domain naming roles to restore my domain. i have 
all the other roles. 
yet it still has issues with finding a gc or replicating within a domain.
why?
 
this is a fundemental design flaw of AD. It boggles the mind. If in a real 
disaster or even a test, MS expects you to have connectivity to  your root domain 
wherever it may be(on the other side of the world) AND access to that domains Admin 
passwords or accounts OR enterprise admin just to get up and running, then they are 
clearly not living in this world

RE: [ActiveDir] disaster recovery

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Title: [ActiveDir] disaster recovery



Ad is supposed to be a enterprise 
directory where most enterprises span the globe and have multiple sister corps 
or corps they've merged with or aquired. these corps have thier own domains and 
IT depts.

That's not how AD is supposed to be - that's merely how 
you'd like to use it. Not necessarily the same. I agree that some 
companies may implement it this way especially in the early days of AD, but not 
after they understood that not the domain, but the forest is the security 
boundary. 

If you have no good working relationship with your mother 
corp and they're not really too fond of you either, they should have never 
offered you your own domain. You would have been a perfect candidate for a 
separate forest. However, if they still wanted to fully integrate you into their 
forest without trusting you to perform service-level operations (i.e. task that 
require domain admin privileges), they would have merely required to grant you 
management of one or a few OUs.

If you like it or not, recovery of AD - in case of the 
disaster you describe, or in other disasters that go more towards deletion of 
objects - is an forest level task that usually requires enterprise admin 
privileges. I am not saying, that I don't think it would be nice if this 
wasn't the case, but once you learn to treat a domain as an integral part of a 
forest that should not be managed by a separate team of administrators, it 
doesn't make a difference.

/Guido


From: Kern, Tom 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: Donnerstag, 25. Mrz 2004 18:56To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

going to AD was something decided by the higher ups to merge my corp and 
our sister corp into a smealess whole. The sister corp already had AD in place 
and they own the root. our IT depts. don't exactly communicate or relate to each 
other very well :)
i'm sure its like that in alot of places. before comming here, I was in a 
Netware 6.0 enviorment and feel that directory is much more mature in terms of 
configurabilty and satisfying all the business needs that AD does.
i exagerrated when i said i would move from AD to NDS. 
its just that when my corp wants to do DR testing for our domain and we go 
away to the dr site and want to recreate most of our infrastructure from back 
up, etc, its fursttrating to have to go to our sister corp IT dept and ask them 
for the Domain admin or enterpris admin password or a copy of thier root role 
holding master dc on a laptop or vmware just to practise recovery of our domain 
and exchange2k.
it seems MS made it so you can't recover a child domain without 
connectivity to the root. that kinda stinks.
i can understand losing some functionality but still be up and running. 
however to make it impossible to get up at all without the root fsmo dc is I 
think something that needs to be addressed.
in MS's mind, all thier DR whitepapers assume you either lost a dc or 2 and 
want to recover them OR you lost the entire forest. they really don't address 
losing a child domain. 
Ad is supposed to be a enterprise directory where most enterprises span the 
globe and have multiple sister corps or corps they've merged with or aquired. 
these corps have thier own domains and IT depts. If one corp goes down, in MS's 
implementation, this corp has to get in touch with the IT dept of the root, be 
allowed high access to the forest OR have someone from that other IT dept free 
enough to come down for security reasons and log in himself as enterprise admin. 
also some physical connectivity is implied...
All in the middel of a disaster OR just to test and practice for said 
disaster.
thats asking for alot of any large company.
MS should know how unrealistic this is more than anyone.

my pointless two cents.
thanks for reading and replying before

  -Original Message- From: Mulnick, Al 
  [mailto:[EMAIL PROTECTED] Sent: Thu 3/25/2004 10:20 AM 
  To: '[EMAIL PROTECTED]' Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  Just out of curiousity, why did you deploy a forest root 
  structure? Why didn't you go with a single domain 
  structure?
  
  Otherwise, Who manages the schema without the root? 
  Who manages the domain naming master in your environment (both are at the 
  root, right?) Who handles your time synch? Who holds the Enterprise 
  Administrator permissions? 
  
  from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx
  
  "Important: Backup data from a DC can 
  only be used to restore that DC. You cannot use a backup of one DC to restore 
  another. To have your environment completely backed up, you would need to have 
  a backup of every domain controller. This should be kept in mind while 
  developing your backup strategy. The minimum requirement should be to backup 
  all the OM role holders and GCs. Also the first domain controller in the root 
  domain s

RE: [ActiveDir] disaster recovery

[Kern, Tom]

restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have it by 
default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have 
it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. is this 
normal?
thanks for your reply

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp will ..
 
In Windows 2000 is interesting you have a secondary zone of your root in your 
local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this zone is 
replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] 

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified Systems Administrator on 2003/2000

Red Hat Certified Technician

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: quarta-feira, 24 de maro de 2004 16:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i also get a all gc's are down error.
gc records are just registered in the root domain, i assume. i only have a dns 
for my domain.
also dcdiag output says the server is not responding to directory service 
requests though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how can i 
get this? can i export it to a text file and import it into my dns server? can i 
somehow pull it from the config container in AD without being connected to the root of 
the tree?
is this the cause of my woes?
 
it would be insane on MS's part to demand connectivity to the root of the 
forest when restoring or doing DR on AD.
what did i screw up?
 
Thanks again for any help

-Original Message- 
From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] disaster recovery



I just restored AD. I had a test laptop, pulled it off the network, 
ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. 
deleted them with adsiedit and all dns records as well.

then at the DR site, i set up new servers with the same names as the 
old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try 
to force a replication.

also, they fail a dcdiag because the guid dns name is not present and 
the server fails a directory request 
Also the srv records for kerberos and kpasswd do not appear in dns for 
my domain. 
The test laptop had an AD intergrated dns zone pulled directly from my 
real network. However, it just has the zone for my domain, not the forest root.

do i need this record as well to promote DC's. I'm not connected to 
the forest anyway, but should i have the forest root records too.

what am i doing wrong? 
thanks 
.+wYP.+j joryIV+v* 

winmail.dat

RE: [ActiveDir] disaster recovery

[Anderson Santos Patricio]

Title: [ActiveDir] disaster recovery



You Zones is setting for Dynamic Updates = 
YES???




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: quarta-feira, 24 de maro de 2004 16:47To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have 
it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test 
DC also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. 
is this normal?
thanks for your reply

  -Original Message- From: Anderson Santos 
  Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 
  PM To: [EMAIL PROTECTED] Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  Hi Tom,
  
  All register of AD Zones can recover with two 
  comand:
  
  restart netlogon service or ipconfig 
  /registerdns
  
  and all workstation will update your register in dns, or 
  dhcp will ..
  
  In Windows 2000 is interesting you have a secondary zone 
  of your root in your local dns server,
  
  In Windows 2003 you can set dns zone to level Forest then 
  this zone is replicated for all domain controller in the 
  forest.
  
  Thanks for advanced.
  
  
  
  Anderson 
  Patricio- Analista de Suporte[EMAIL PROTECTED]
  Microsoft Certified Systems Engineer on 
  2003/2000
  Microsoft Certified Systems Administrator on 
  2003/2000
  Red Hat Certified Technician
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
  TomSent: quarta-feira, 24 de maro de 2004 16:03To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
  recovery
  
  i also get a "all gc's are down" error.
  gc records are just registered in the root domain, i assume. i only have 
  a dns for my domain.
  also dcdiag output says "the server is not responding to directory 
  service requests" though it holds a copy of AD.
  how can i get around this? do i need a copy of the root dns zone? how can 
  i get this? can i export it to a text file and import it into my dns server? 
  can i somehow pull it from the config container in AD without being connected 
  to the root of the tree?
  is this the cause of my woes?
  
  it would be insane on MS's part to demand connectivity to the root of the 
  forest when restoring or doing DR on AD.
  what did i screw up?
  
  Thanks again for any help
  
-Original Message- From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM To: 
[EMAIL PROTECTED] Cc: Subject: [ActiveDir] 
disaster recovery
I just restored AD. I had a test laptop, pulled it off the 
network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed 
all my old dc's. deleted them with adsiedit and all dns records as 
well.
then at the DR site, i set up new servers with the same 
names as the old one's, ran dcpromo. however, the new servers get 
dnslookup/rpc errors when i try to force a replication.
also, they fail a dcdiag because the guid dns name is not 
present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns 
for my domain. The test laptop had an AD intergrated 
dns zone pulled directly from my real network. However, it just has the zone 
for my domain, not the forest root.
do i need this record as well to promote DC's. I'm not 
connected to the forest anyway, but should i have the forest root records 
too.
what am i doing wrong? thanks 
.+wYP.+j joryIV+v* 
  

RE: [ActiveDir] disaster recovery

[Kern, Tom]

yes. 
a quick question- can one restore an entire child domain without connectivity to the 
root domain?

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:58 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


You Zones is setting for Dynamic Updates = YES???
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: quarta-feira, 24 de maro de 2004 16:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i have it 
by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my test DC 
also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the root. is 
this normal?
thanks for your reply

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp will ..
 
In Windows 2000 is interesting you have a secondary zone of your root 
in your local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this zone is 
replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] 

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified Systems Administrator on 2003/2000

Red Hat Certified Technician

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
Tom
Sent: quarta-feira, 24 de maro de 2004 16:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


i also get a all gc's are down error.
gc records are just registered in the root domain, i assume. i only 
have a dns for my domain.
also dcdiag output says the server is not responding to directory 
service requests though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how 
can i get this? can i export it to a text file and import it into my dns server? can i 
somehow pull it from the config container in AD without being connected to the root of 
the tree?
is this the cause of my woes?
 
it would be insane on MS's part to demand connectivity to the root of 
the forest when restoring or doing DR on AD.
what did i screw up?
 
Thanks again for any help

-Original Message- 
From: Kern, Tom 
Sent: Wed 3/24/2004 1:34 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [ActiveDir] disaster recovery



I just restored AD. I had a test laptop, pulled it off the 
network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old 
dc's. deleted them with adsiedit and all dns records as well.

then at the DR site, i set up new servers with the same names 
as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when 
i try to force a replication.

also, they fail a dcdiag because the guid dns name is not 
present and the server fails a directory request 
Also the srv records for kerberos and kpasswd do not appear in 
dns for my domain. 
The test laptop had an AD intergrated dns zone pulled directly 
from my real network. However, it just has the zone for my domain, not the forest root.

do i need this record as well to promote DC's. I'm not 
connected to the forest anyway

RE: [ActiveDir] disaster recovery

[Mulnick, Al]

Title: [ActiveDir] disaster recovery



No, you need the root domain as it holds some of the roles 
etc.

In order for this to work, you need to restore the root 
domain as well. I've found that doing this with a virtual server is 
sometimes easier but that just saves on hardware 
requirements.


Al


From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 3:23 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

yes. 
a quick question- can one restore an entire child domain without 
connectivity to the root domain?

  -Original Message- From: Anderson Santos 
  Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 
  PM To: [EMAIL PROTECTED] Cc: 
  Subject: RE: [ActiveDir] disaster recovery
  You Zones is setting for Dynamic Updates = 
  YES???
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
  TomSent: quarta-feira, 24 de maro de 2004 16:47To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
  recovery
  
  restarting netlogon or registerdns does not work.
  where is this copy of the root zone in my dns server. i don't think i 
  have it by default. i had to transfer it on my dns server back home.
  also if i had it, wouldnt creating a AD intergrated dns server on my test 
  DC also have it?
  finally, when dc's replicate, do they look each other up in a gc?
  i never had any gc srv records in my local domain zone, only in the root. 
  is this normal?
  thanks for your reply
  
-Original Message- From: Anderson 
Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 
3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: 
Subject: RE: [ActiveDir] disaster recovery
Hi Tom,

All register of AD Zones can recover with two 
comand:

restart netlogon service or ipconfig 
/registerdns

and all workstation will update your register in dns, 
or dhcp will ..

In Windows 2000 is interesting you have a secondary 
zone of your root in your local dns server,

In Windows 2003 you can set dns zone to level Forest 
then this zone is replicated for all domain controller in the 
forest.

Thanks for advanced.



Anderson 
Patricio- Analista de Suporte[EMAIL PROTECTED]
Microsoft Certified Systems Engineer on 
2003/2000
Microsoft Certified Systems Administrator on 
2003/2000
Red Hat Certified Technician




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
TomSent: quarta-feira, 24 de maro de 2004 16:03To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] disaster 
recovery

i also get a "all gc's are down" error.
gc records are just registered in the root domain, i assume. i only 
have a dns for my domain.
also dcdiag output says "the server is not responding to directory 
service requests" though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns zone? how 
can i get this? can i export it to a text file and import it into my dns 
server? can i somehow pull it from the config container in AD without being 
connected to the root of the tree?
is this the cause of my woes?

it would be insane on MS's part to demand connectivity to the root of 
the forest when restoring or doing DR on AD.
what did i screw up?

Thanks again for any help

  -Original Message- From: Kern, Tom 
  Sent: Wed 3/24/2004 1:34 PM To: 
  [EMAIL PROTECTED] Cc: Subject: 
  [ActiveDir] disaster recovery
  I just restored AD. I had a test laptop, pulled it off the 
  network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed 
  all my old dc's. deleted them with adsiedit and all dns records as 
  well.
  then at the DR site, i set up new servers with the same 
  names as the old one's, ran dcpromo. however, the new servers get 
  dnslookup/rpc errors when i try to force a replication.
  also, they fail a dcdiag because the guid dns name is not 
  present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns 
  for my domain. The test laptop had an AD 
  intergrated dns zone pulled directly from my real network. However, it 
  just has the zone for my domain, not the forest root.
  do i need this record as well to promote DC's. I'm not 
  connected to the forest anyway, but should i have the forest root records 
  too.
  what am i doing wrong? thanks .+wYP.+j 
  joryIV+v* 

RE: [ActiveDir] disaster recovery

[Kern, Tom]

i don't need the schema or domain naming roles to restore my domain. i have all the 
other roles. 
yet it still has issues with finding a gc or replicating within a domain.
why?
 
this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or 
even a test, MS expects you to have connectivity to  your root domain wherever it may 
be(on the other side of the world) AND access to that domains Admin passwords or 
accounts OR enterprise admin just to get up and running, then they are clearly not 
living in this world.
AD was meant for the enterprise where a corp could have offices and domains all over 
the world. if in the event of disaster, we have to worry about isdn or T1 lines to the 
root and overcome all the politics of diff IT depts and security to beg for the 
enterprise password(even just for a simple test) JUST to get functional(not add or 
delete domains or modify the schema), then i'm ready to ditch AD for NDS or something 
more realistic.
what other reason could I have to connect to the root? what other secrets does it hold 
aside from the 2 roles?
does anyone know?
why doesn't MS tell you these things in their DR documentation? is it so obivious?
why is connectivity to the root never mentioned as key?
am i the idiot?
i'm willing to accept that, but what else does the root dc hold in terms of AD 
functionality?
thank you for all your help so far.

-Original Message- 
From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 4:28 PM 
To: '[EMAIL PROTECTED]' 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


No, you need the root domain as it holds some of the roles etc.
 
In order for this to work, you need to restore the root domain as well.  I've 
found that doing this with a virtual server is sometimes easier but that just saves on 
hardware requirements.
 
 
Al

  _  

From: Kern, Tom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 24, 2004 3:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


yes. 
a quick question- can one restore an entire child domain without connectivity 
to the root domain?

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:58 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


You Zones is setting for Dynamic Updates = YES???
 
 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, 
Tom
Sent: quarta-feira, 24 de maro de 2004 16:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery


restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i 
have it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my 
test DC also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the 
root. is this normal?
thanks for your reply

-Original Message- 
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] 
Sent: Wed 3/24/2004 2:16 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [ActiveDir] disaster recovery


Hi Tom,
 
All register of AD Zones can recover with two comand:
 
restart netlogon service or ipconfig /registerdns
 
and all workstation will update your register in dns, or dhcp 
will ..
 
In Windows 2000 is interesting you have a secondary zone of 
your root in your local dns server,
 
In Windows 2003 you can set dns zone to level Forest then this 
zone is replicated for all domain controller in the forest.
 
Thanks for advanced.
 


Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] blocked::mailto:[EMAIL PROTECTED] 

Microsoft Certified Systems Engineer on 2003/2000

Microsoft Certified

RE: [ActiveDir] Disaster Recovery Test

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

is the DC used for other things that you'd like to recover on the server?
If not, I would definitely chime into Al's suggestions = don't restore it
(if another DC is available), instead install a new OS and re-promote it.  

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 25. Februar 2004 19:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test

Why would you want to restore a dc in a domain that already has a working
dc? That seems like a waste of time and a big risk for the most part unles
there's a specific scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why
restore the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain
and I am only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones,
domain.net, domain1.net etc.  I can nslookup all the other domains but not
the domain.net which is the main AD domain (when I look at system
properties, I do see the domain as domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create
the AD infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Test

[joe]

And I will chain into Guido's response with - don't put anything else on a
DC. Here is yet another reason if security and stability of your company
wasn't enough. :o)

Sorry, been working a lot; just happened to see this as I was popping
through my email folders and it was a quick response from the podium I could
send. :oP

 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, February 27, 2004 9:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

is the DC used for other things that you'd like to recover on the server?
If not, I would definitely chime into Al's suggestions = don't restore it
(if another DC is available), instead install a new OS and re-promote it.  

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 25. Februar 2004 19:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test

Why would you want to restore a dc in a domain that already has a working
dc? That seems like a waste of time and a big risk for the most part unles
there's a specific scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why
restore the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain
and I am only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones,
domain.net, domain1.net etc.  I can nslookup all the other domains but not
the domain.net which is the main AD domain (when I look at system
properties, I do see the domain as domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create
the AD infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Test

[Jennifer Fountain]

The server is our bridge head - fizzmo master for the network.  We are here at sungard 
trying to restore critical server in case of a fire.  When I restore my bridge (I have 
5 other DCs at my remote locations and they are not here), I get those errors in the 
log. No other server is available so I can repromote it.  I have told my bosses this 
but they want to perform as if our wan is down.

Any thoughts? Is this possible to restoere the server without the others online?

Thanks
Jennifer 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)
Sent: Friday, February 27, 2004 9:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

is the DC used for other things that you'd like to recover on the server?
If not, I would definitely chime into Al's suggestions = don't restore it (if another 
DC is available), instead install a new OS and re-promote it.  

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 25. Februar 2004 19:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test

Why would you want to restore a dc in a domain that already has a working dc? That 
seems like a waste of time and a big risk for the most part unles there's a specific 
scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why restore 
the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain
and I am only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones,
domain.net, domain1.net etc.  I can nslookup all the other domains but not
the domain.net which is the main AD domain (when I look at system
properties, I do see the domain as domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create
the AD infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Test

[Jennifer Fountain]

The machine is only a DC. Nothing else (Well, DNS server - active directory 
integrated.) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, February 27, 2004 9:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

And I will chain into Guido's response with - don't put anything else on a DC. Here is 
yet another reason if security and stability of your company wasn't enough. :o)

Sorry, been working a lot; just happened to see this as I was popping through my email 
folders and it was a quick response from the podium I could send. :oP

 


-
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, February 27, 2004 9:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

is the DC used for other things that you'd like to recover on the server?
If not, I would definitely chime into Al's suggestions = don't restore it (if another 
DC is available), instead install a new OS and re-promote it.  

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 25. Februar 2004 19:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test

Why would you want to restore a dc in a domain that already has a working dc? That 
seems like a waste of time and a big risk for the most part unles there's a specific 
scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why restore 
the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain and I am 
only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones, domain.net, 
domain1.net etc.  I can nslookup all the other domains but not the domain.net which is 
the main AD domain (when I look at system properties, I do see the domain as 
domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create the AD 
infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org

RE: [ActiveDir] Disaster Recovery Test

[Coleman, Hunter]

Jennifer-

We've done these drills and after a few bumpy starts, it's not a big deal
anymore. You will likely have to do a metadata cleanup to remove references
to the other (unavailable) DCs, unless you plan to restore them as well.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498

We haven't seen the DNS issue that you're hitting. After you restore the DC,
can you see the DNS zone for your AD namespace in the DNS snap-in? Is it
there but empty? Dynamic updates enabled? Is the restored DC pointing to
itself for DNS, and are the IP addresses correct?

Hunter

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 27, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

The server is our bridge head - fizzmo master for the network.  We are here
at sungard trying to restore critical server in case of a fire.  When I
restore my bridge (I have 5 other DCs at my remote locations and they are
not here), I get those errors in the log. No other server is available so I
can repromote it.  I have told my bosses this but they want to perform as if
our wan is down.

Any thoughts? Is this possible to restoere the server without the others
online?

Thanks
Jennifer 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, February 27, 2004 9:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

is the DC used for other things that you'd like to recover on the server?
If not, I would definitely chime into Al's suggestions = don't restore it
(if another DC is available), instead install a new OS and re-promote it.  

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 25. Februar 2004 19:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test

Why would you want to restore a dc in a domain that already has a working
dc? That seems like a waste of time and a big risk for the most part unles
there's a specific scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why
restore the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain
and I am only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones,
domain.net, domain1.net etc.  I can nslookup all the other domains but not
the domain.net which is the main AD domain (when I look at system
properties, I do see the domain as domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create
the AD infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http

RE: [ActiveDir] Disaster Recovery Test

[Jennifer Fountain]

Thanks for all the information.  We got it working! 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Friday, February 27, 2004 2:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

Bingo!

DNS isn't coming up until SYSVOL comes up, and SYSVOL isn't coming up until AD 
contacts it's replication partners.

Solution, as per Mr. Coleman's note is to remove references to the other non-restored 
DCs. This is tedious for more than a few DCs, but straight-forward (the guy that wrote 
ntdsutil MUST have been a COBOL programmer).

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Friday, February 27, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test


Jennifer-

We've done these drills and after a few bumpy starts, it's not a big deal anymore. You 
will likely have to do a metadata cleanup to remove references to the other 
(unavailable) DCs, unless you plan to restore them as well. 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216498

We haven't seen the DNS issue that you're hitting. After you restore the DC, can you 
see the DNS zone for your AD namespace in the DNS snap-in? Is it there but empty? 
Dynamic updates enabled? Is the restored DC pointing to itself for DNS, and are the IP 
addresses correct?

Hunter

-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Friday, February 27, 2004 9:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

The server is our bridge head - fizzmo master for the network.  We are here at sungard 
trying to restore critical server in case of a fire.  When I restore my bridge (I have 
5 other DCs at my remote locations and they are not here), I get those errors in the 
log. No other server is available so I can repromote it.  I have told my bosses this 
but they want to perform as if our wan is down.

Any thoughts? Is this possible to restoere the server without the others online?

Thanks
Jennifer 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Friday, February 27, 2004 9:12 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

is the DC used for other things that you'd like to recover on the server? If not, I 
would definitely chime into Al's suggestions = don't restore it (if another DC is 
available), instead install a new OS and re-promote it.  

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 25. Februar 2004 19:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery Test

Why would you want to restore a dc in a domain that already has a working dc? That 
seems like a waste of time and a big risk for the most part unles there's a specific 
scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why restore 
the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain and I am 
only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones

RE: [ActiveDir] Disaster Recovery Test

[deji Agba]

So, where's the DNS server for domain.net?




Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Jennifer FountainSent: Wed 2/25/2004 8:35 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Disaster Recovery Test
Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.	Install Windows 2000
2.	Install latest Service Pack
5.	Restore C, D and system state while in "Normal" mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.	BEFORE YOU REBOOT, DO THE FOLLOWING:
*	Remove any NIC drivers
*	Remove any Video drivers
7.	Reboot into Directory Services Repair Mode
8.	Log in as the Directory Service Repair userid
9.	At a command prompt, type "NTDSUTIL" and then press ENTER. 
10.	Type "AUTHORITATIVE RESTORE" and then press ENTER. 
11.	Type "RESTORE DATABASE", press ENTER, click OK, and then click
Yes.
12.	Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones,
domain.net, domain1.net etc.  I can nslookup all the other domains but
not the domain.net which is the "main" AD domain (when I look at system
properties, I do see the domain as domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not
create the AD infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Test

[Jennifer Fountain]

It's on the same box and it's running.  I do have multiple DCs in my domain and I am 
only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones, domain.net, 
domain1.net etc.  I can nslookup all the other domains but not the domain.net which is 
the main AD domain (when I look at system properties, I do see the domain as 
domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create the AD 
infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery Test

[Mulnick, Al]

Why would you want to restore a dc in a domain that already has a working
dc? That seems like a waste of time and a big risk for the most part unles
there's a specific scenario that made you want to go that route.

Is AD integrated?  If not, did you backup/restore the domain zone file?  Why
restore the DNS zone file if you have a working one? Why not transfer it?

I know, I'm full of questions, but I'm trying to understand the scenario.
:)



-Original Message-
From: Jennifer Fountain [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 25, 2004 12:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test


It's on the same box and it's running.  I do have multiple DCs in my domain
and I am only restoring this one.  I assume this is the problem? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Wednesday, February 25, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery Test

So, where's the DNS server for domain.net?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: Jennifer Fountain
Sent: Wed 2/25/2004 8:35 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Disaster Recovery Test


Hi Guys/Gals

I have hit a road block on my disaster recovery test on my test box.

Here is what I have done:

1.  Install Windows 2000
2.  Install latest Service Pack
5.  Restore C, D and system state while in Normal mode.  Deselect
boot.ini, ntldr and ntdetect.com before restoring.
6.  BEFORE YOU REBOOT, DO THE FOLLOWING:
*   Remove any NIC drivers
*   Remove any Video drivers
7.  Reboot into Directory Services Repair Mode
8.  Log in as the Directory Service Repair userid
9.  At a command prompt, type NTDSUTIL and then press ENTER. 
10. Type AUTHORITATIVE RESTORE and then press ENTER. 
11. Type RESTORE DATABASE, press ENTER, click OK, and then click
Yes.
12. Reboot and confirm the restore was successful.

When I boot, I cannot access the DNS for my local zone.  I have 4 zones,
domain.net, domain1.net etc.  I can nslookup all the other domains but not
the domain.net which is the main AD domain (when I look at system
properties, I do see the domain as domain.net)

Any thoughts on what I did wrong?

This is different hardware, I did not install DNS prior and I did not create
the AD infrastructure prior to reinstalling.


Kind Regards,

Jennifer Fountain
3400 E. Walnut Street
Colmar, PA 18915
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Disaster Recovery

[Fons Botman]

Hello,

Please log on again in DSRM mode or use something like Winternals sysadmin
pack to check the eventlog. Maybe networking is off due to different
hardware or SYSVOL/RID problems.

Fons

 -- Original Message --
 Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
 Reply-To: [EMAIL PROTECTED]
 Date:  Wed, 4 Feb 2004 08:13:25 -0600


 We're having an issue testing our disaster recovery plan.  We backed up
our
 FSMO role holding domain controller including system state, dns, dhcp -
all
 services that were on the box.  We then restored it onto a server in our
lab
 (in DSRestore mode and off the production network), and it restored OK,
but
 it won't let us log into the domain - it's saying the domain isn't
available
 (even though it's a domain controller we're trying to log into!)

 Any ideas?


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery

[joe]

I would be really curious to know what if any traffic was being sent from
that box across the network. 

I do agree that a domain admin should be able to log on without the GC. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Thursday, February 05, 2004 11:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery

He should be possible to log on locally as a domain admin without needing a
GC. Without DNS it should also be possible although its very slow

Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Thursday, February 05, 2004 02:55
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery

more likely the missing GC, than DNS, when you're local on the box.  So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.

/Guido 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 4. Februar 2004 17:20
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster Recovery

What does the DNS info look like?  In other words, is the machine pointing
to itself for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless
you are using a domain admin account, or have implemented the registry hack
to disable GC login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery

[Rimmerman, Russ]

Sorry for my ignorance, but how do you disable the requirement for needing a
GC?  We're still struggling with this process of restoring a DC.

Thanks,
Russ 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, February 04, 2004 7:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery

more likely the missing GC, than DNS, when you're local on the box.  So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.

/Guido 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 4. Februar 2004 17:20
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster Recovery

What does the DNS info look like?  In other words, is the machine pointing
to itself for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless
you are using a domain admin account, or have implemented the registry hack
to disable GC login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery

[Tony Murray]

Assuming you're W2K:

http://support.microsoft.com/default.aspx?scid=kb;[LN];241789

Tony

-- Original Message --
From: Rimmerman, Russ [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 5 Feb 2004 08:25:35 -0600 


Sorry for my ignorance, but how do you disable the requirement for needing a
GC?  We're still struggling with this process of restoring a DC.

Thanks,
Russ 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, February 04, 2004 7:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery

more likely the missing GC, than DNS, when you're local on the box.  So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.

/Guido 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 4. Februar 2004 17:20
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster Recovery

What does the DNS info look like?  In other words, is the machine pointing
to itself for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless
you are using a domain admin account, or have implemented the registry hack
to disable GC login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery

[Jorge de Almeida Pinto]

Hi Russ,

Check out the following:

Q216970: Global Catalog Server Requirement for User and Computer Logon 
Q241789: How to Disable the Requirement that a Global Catalog Server Be
Available to Validate User Logons

Regards,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, February 05, 2004 15:26
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster Recovery


Sorry for my ignorance, but how do you disable the requirement for needing a
GC?  We're still struggling with this process of restoring a DC.

Thanks,
Russ 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Wednesday, February 04, 2004 7:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery

more likely the missing GC, than DNS, when you're local on the box.  So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.

/Guido 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 4. Februar 2004 17:20
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster Recovery

What does the DNS info look like?  In other words, is the machine pointing
to itself for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless
you are using a domain admin account, or have implemented the registry hack
to disable GC login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended recipient(s) 
only. It may contain proprietary material, confidential information and/or be subject 
to legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete this 
e-mail and any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery

[Jorge de Almeida Pinto]

He should be possible to log on locally as a domain admin without needing a
GC. Without DNS it should also be possible although its very slow

Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Thursday, February 05, 2004 02:55
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster Recovery

more likely the missing GC, than DNS, when you're local on the box.  So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.

/Guido 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 4. Februar 2004 17:20
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster Recovery

What does the DNS info look like?  In other words, is the machine pointing
to itself for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless
you are using a domain admin account, or have implemented the registry hack
to disable GC login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended recipient(s) 
only. It may contain proprietary material, confidential information and/or be subject 
to legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete this 
e-mail and any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Disaster Recovery

[Tony Murray]

What does the DNS info look like?  In other words, is the machine pointing to itself 
for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless you are 
using a domain admin account, or have implemented the registry hack to disable GC 
login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster Recovery

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

more likely the missing GC, than DNS, when you're local on the box.  So
disabling the requirement for needing a GC may be worthwhile for your
situation as an interims solution.

/Guido 

-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 4. Februar 2004 17:20
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster Recovery

What does the DNS info look like?  In other words, is the machine pointing
to itself for DNS resolution or another machine?

If the DC is not configured as a GC you will not be able to log in unless
you are using a domain admin account, or have implemented the registry hack
to disable GC login requirement.

Tony
-- Original Message --
Wrom: HJYFMYXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAAFXI
Reply-To: [EMAIL PROTECTED]
Date:  Wed, 4 Feb 2004 08:13:25 -0600 


We're having an issue testing our disaster recovery plan.  We backed up our
FSMO role holding domain controller including system state, dns, dhcp - all
services that were on the box.  We then restored it onto a server in our lab
(in DSRestore mode and off the production network), and it restored OK, but
it won't let us log into the domain - it's saying the domain isn't available
(even though it's a domain controller we're trying to log into!)

Any ideas?

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Chianese, David P.]

That was my major concern too Hunter.  Although we have not seen this in the
lab, I am wondering in a more complex environment (like production) if the
beast will rear it's ugly head then.  That would be bad, very bad.  

Btw, thanks to all of you for the comments and scenario recommendations.
Much appreciated!

Dave 

-Original Message-
From: Coleman, Hunter [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 10:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


My biggest concern in this case is that you end up with an offline backup of
the AD database, so you could be happily backing up a database with
page-level corruption. Running a couple of virtual DCs on different physical
hardare should minimize the risk of -1018 errors, though. Has anyone seen
low level corruption of an ntds.dit database?

Hunter 

-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 9:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.

Actually VMWare or more likely Virtual Server are what we are *starting* to
look at for a DR system. Basically the idea is to have a couple of nice
sized Physical Servers running multiple virtual servers that are domain
controllers for all Domains in the Forest. Every night one of the P-Servers
shuts down all of the Virtuals and copies off the disk images to some other
location for backup to tape. The next night the other P-Server does it. 

The beauty of this solution is that physical hardware becomes a lot less
important for your DR site or your test lab (yes you could bring these
images back up in a *segragated* test lab for testing of your production AD
and data...). You simply load up your server and then install your
virtualization software and then fire up your images and you are off to the
races... 

We actually just got the hardware in for this, which we will use to develop
the solution against the test environment and then once comfortable with it
will go prod with it. 

Personally I think this is about the most flexible and safe DR solution you
can have. I am not one for restoring AD from system state dumps. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P.
Sent: Friday, August 08, 2003 7:04 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


That would obviously kill the ghost image idea. I do however like the laptop
and more graceful way of transferring roles at the DR site.  I think I
hear the chimes of VMWare ESX Server calling.  Thanks for the feedback Don.
I see another idea in my head now too.  Alas, it's Friday and I'm late for
Happy Hour

-Dave

-Original Message-
From: Don Guyer [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


David,

We use similar methodology for our DR tests, by keeping a laptop
running as a DC on our live network, then transferring FSMO roles at the DR
site. This has worked flawlessly for us. We are now looking to be able to
restore our AD evironment to a totally different server. Problem is, when we
do DR testing we usually get Compaq hardware, whereas we are a Dell shop
here.

Don Guyer
IS Dept
Citadel FCU
Ph: 610.380.7072
Fax: 610.380.7008
[EMAIL PROTECTED]


-Original Message-
From: Chianese, David P. [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Disaster recovery scenario comments requested.


All, 

I want to run this DR situation by the group and see if anyone else can
identify any gotcha's in the process.  We are currently testing out a DR
scenario that involves off-site Domain controllers at a recovery center.
During normal operations the DR DC's are linked to our network via  VPN and
fractional T1 line in order for replication to occur.  When we declare a DR
test or go into a live DR situation where one of our sites becomes
unavailable for an extended period of time due to an outage, network issue
or terrorist incident (remember 9/11?) we bring the DR site up, seize the
PDC emulator roll (to add workstations, accounts and perform other urgent
replication) and let our clients continue operations in all of our remote
locations with little interruption of service.

Now, here is the hard part.  when DR is over we disconnect the DR DC from
the wire and delpart.exe (format/fdisk for ntfs) all of the partitions.  The
site that was down is then restored and the PDC emulator roll is back to its
original state.  We then take the DR DC and apply a ghosted image of the
server as it was when it was first dcpromo'd and let it catch up on
replication.  This so far has worked flawlessly in the lab.  We avoid doing
the metadata cleanup of the server since nothing has really changed on the
DR DC

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Coleman, Hunter]

Don-

We're in the same spot, with production DCs running on Dell and DR hardware
often being Compaq. We've found that KB810161
(http://support.microsoft.com/default.aspx?scid=kb;en-us;810161) has been
important to successfully accomplishing the restores. Recently, we've also
found that building the Compaq boxes with a SmartStart CD, instead of using
an OS CD + specific drivers, to be much less painful. The IBM boxes that
we've done test restores to have been less picky.

Hunter 

-Original Message-
From: Don Guyer [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 3:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.

David,

We use similar methodology for our DR tests, by keeping a laptop
running as a DC on our live network, then transferring FSMO roles at the DR
site. This has worked flawlessly for us. We are now looking to be able to
restore our AD evironment to a totally different server. Problem is, when we
do DR testing we usually get Compaq hardware, whereas we are a Dell shop
here.

Don Guyer
IS Dept
Citadel FCU
Ph: 610.380.7072
Fax: 610.380.7008
[EMAIL PROTECTED]


-Original Message-
From: Chianese, David P. [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Disaster recovery scenario comments requested.


All, 

I want to run this DR situation by the group and see if anyone else can
identify any gotcha's in the process.  We are currently testing out a DR
scenario that involves off-site Domain controllers at a recovery center.
During normal operations the DR DC's are linked to our network via  VPN and
fractional T1 line in order for replication to occur.  When we declare a DR
test or go into a live DR situation where one of our sites becomes
unavailable for an extended period of time due to an outage, network issue
or terrorist incident (remember 9/11?) we bring the DR site up, seize the
PDC emulator roll (to add workstations, accounts and perform other urgent
replication) and let our clients continue operations in all of our remote
locations with little interruption of service.

Now, here is the hard part.  when DR is over we disconnect the DR DC from
the wire and delpart.exe (format/fdisk for ntfs) all of the partitions.  The
site that was down is then restored and the PDC emulator roll is back to its
original state.  We then take the DR DC and apply a ghosted image of the
server as it was when it was first dcpromo'd and let it catch up on
replication.  This so far has worked flawlessly in the lab.  We avoid doing
the metadata cleanup of the server since nothing has really changed on the
DR DC as it was re-imaged previous to the PDC emulator roll seizure.  Our
lab environment is a fraction of the capacity of our Production and not as
complex.  Can anyone see any problems arising down the road by doing a DR
process like this?

The other option planned is to already have the workstations and DR
environments created in a separate OU so that in a DR situation we just need
to let the site that is disconnected stay disconnected and then catch up on
replication when it comes back.  This is my preferred method of how to
handle our DR woes, but unfortunately we are not there yet.  I am only
looking for feedback or you to play devil's advocate on the above situation
we currently have in place.  Thank you in advance for your comments.


Regards, 


David Chianese
Senior Engineer
IT - Server Services
Delaware Investments
  *Powered By Research
A Member of the Lincoln Financial Group


This e-mail and any accompanying attachments are confidential.  The
information is intended solely for the use of the individual to whom it is
addressed.  Any review, disclosure, copying, distribution, or use of this
e-mail communication by others is strictly prohibited.  If you are not the
intended recipient, please notify us immediately by returning this message
to the sender and delete all copies.  Thank you for your cooperation.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Rick Kingslan]

Jan,

Do you know if they have published a paper or some detail on this process?
Naturally, I'm interested in what they are proposing.

Currently, their full-fledged technical document is slated for March 2004,
which, IMHO, is way too late.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson
Sent: Sunday, August 10, 2003 10:56 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster recovery scenario comments requested.


Just as an aside here - MS of course displayed their VM server at tech ed -
one nice idea was DR for Exchange 2003 - you would basically generate a new
email server in minutes on a VM - users are then back online and you then
begin to backfill their email from tape.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Disaster recovery scenario comments requested.

[Jan Wilson]

Just as an aside here - MS of course displayed their VM server at tech ed -
one nice idea was DR for Exchange 2003 - you would basically generate a new
email server in minutes on a VM - users are then back online and you then
begin to backfill their email from tape.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Don Guyer]

David,

We use similar methodology for our DR tests, by keeping a laptop running as a 
DC on our live network, then transferring FSMO roles at the DR site. This has worked 
flawlessly for us. We are now looking to be able to restore our AD evironment to a 
totally different server. Problem is, when we do DR testing we usually get Compaq 
hardware, whereas we are a Dell shop here.

Don Guyer
IS Dept
Citadel FCU
Ph: 610.380.7072
Fax: 610.380.7008
[EMAIL PROTECTED]


-Original Message-
From: Chianese, David P. [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Disaster recovery scenario comments requested.


All, 

I want to run this DR situation by the group and see if anyone else can
identify any gotcha's in the process.  We are currently testing out a DR
scenario that involves off-site Domain controllers at a recovery center.
During normal operations the DR DC's are linked to our network via  VPN and
fractional T1 line in order for replication to occur.  When we declare a DR
test or go into a live DR situation where one of our sites becomes
unavailable for an extended period of time due to an outage, network issue
or terrorist incident (remember 9/11?) we bring the DR site up, seize the
PDC emulator roll (to add workstations, accounts and perform other urgent
replication) and let our clients continue operations in all of our remote
locations with little interruption of service.

Now, here is the hard part.  when DR is over we disconnect the DR DC from
the wire and delpart.exe (format/fdisk for ntfs) all of the partitions.  The
site that was down is then restored and the PDC emulator roll is back to its
original state.  We then take the DR DC and apply a ghosted image of the
server as it was when it was first dcpromo'd and let it catch up on
replication.  This so far has worked flawlessly in the lab.  We avoid doing
the metadata cleanup of the server since nothing has really changed on the
DR DC as it was re-imaged previous to the PDC emulator roll seizure.  Our
lab environment is a fraction of the capacity of our Production and not as
complex.  Can anyone see any problems arising down the road by doing a DR
process like this?

The other option planned is to already have the workstations and DR
environments created in a separate OU so that in a DR situation we just need
to let the site that is disconnected stay disconnected and then catch up on
replication when it comes back.  This is my preferred method of how to
handle our DR woes, but unfortunately we are not there yet.  I am only
looking for feedback or you to play devil's advocate on the above situation
we currently have in place.  Thank you in advance for your comments.


Regards, 


David Chianese
Senior Engineer
IT - Server Services
Delaware Investments
  *Powered By Research
A Member of the Lincoln Financial Group


This e-mail and any accompanying attachments are confidential.  The information is 
intended solely for the use of the individual to whom it is addressed.  Any review, 
disclosure, copying, distribution, or use of this e-mail communication by others is 
strictly prohibited.  If you are not the intended recipient, please notify us 
immediately by returning this message to the sender and delete all copies.  Thank you 
for your cooperation.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Coleman, Hunter]

My biggest concern in this case is that you end up with an offline backup of
the AD database, so you could be happily backing up a database with
page-level corruption. Running a couple of virtual DCs on different physical
hardare should minimize the risk of -1018 errors, though. Has anyone seen
low level corruption of an ntds.dit database?

Hunter 

-Original Message-
From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 08, 2003 9:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.

Actually VMWare or more likely Virtual Server are what we are *starting* to
look at for a DR system. Basically the idea is to have a couple of nice
sized Physical Servers running multiple virtual servers that are domain
controllers for all Domains in the Forest. Every night one of the P-Servers
shuts down all of the Virtuals and copies off the disk images to some other
location for backup to tape. The next night the other P-Server does it. 

The beauty of this solution is that physical hardware becomes a lot less
important for your DR site or your test lab (yes you could bring these
images back up in a *segragated* test lab for testing of your production AD
and data...). You simply load up your server and then install your
virtualization software and then fire up your images and you are off to the
races... 

We actually just got the hardware in for this, which we will use to develop
the solution against the test environment and then once comfortable with it
will go prod with it. 

Personally I think this is about the most flexible and safe DR solution you
can have. I am not one for restoring AD from system state dumps. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P.
Sent: Friday, August 08, 2003 7:04 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


That would obviously kill the ghost image idea. I do however like the laptop
and more graceful way of transferring roles at the DR site.  I think I
hear the chimes of VMWare ESX Server calling.  Thanks for the feedback Don.
I see another idea in my head now too.  Alas, it's Friday and I'm late for
Happy Hour

-Dave

-Original Message-
From: Don Guyer [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


David,

We use similar methodology for our DR tests, by keeping a laptop
running as a DC on our live network, then transferring FSMO roles at the DR
site. This has worked flawlessly for us. We are now looking to be able to
restore our AD evironment to a totally different server. Problem is, when we
do DR testing we usually get Compaq hardware, whereas we are a Dell shop
here.

Don Guyer
IS Dept
Citadel FCU
Ph: 610.380.7072
Fax: 610.380.7008
[EMAIL PROTECTED]


-Original Message-
From: Chianese, David P. [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Disaster recovery scenario comments requested.


All, 

I want to run this DR situation by the group and see if anyone else can
identify any gotcha's in the process.  We are currently testing out a DR
scenario that involves off-site Domain controllers at a recovery center.
During normal operations the DR DC's are linked to our network via  VPN and
fractional T1 line in order for replication to occur.  When we declare a DR
test or go into a live DR situation where one of our sites becomes
unavailable for an extended period of time due to an outage, network issue
or terrorist incident (remember 9/11?) we bring the DR site up, seize the
PDC emulator roll (to add workstations, accounts and perform other urgent
replication) and let our clients continue operations in all of our remote
locations with little interruption of service.

Now, here is the hard part.  when DR is over we disconnect the DR DC from
the wire and delpart.exe (format/fdisk for ntfs) all of the partitions.  The
site that was down is then restored and the PDC emulator roll is back to its
original state.  We then take the DR DC and apply a ghosted image of the
server as it was when it was first dcpromo'd and let it catch up on
replication.  This so far has worked flawlessly in the lab.  We avoid doing
the metadata cleanup of the server since nothing has really changed on the
DR DC as it was re-imaged previous to the PDC emulator roll seizure.  Our
lab environment is a fraction of the capacity of our Production and not as
complex.  Can anyone see any problems arising down the road by doing a DR
process like this?

The other option planned is to already have the workstations and DR
environments created in a separate OU so that in a DR situation we just need
to let the site that is disconnected stay disconnected and then catch up on
replication when it comes back.  This is my preferred method of how to
handle

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Chianese, David P.]

That would obviously kill the ghost image idea. I do however like the laptop
and more graceful way of transferring roles at the DR site.  I think I
hear the chimes of VMWare ESX Server calling.  Thanks for the feedback Don.
I see another idea in my head now too.  Alas, it's Friday and I'm late for
Happy Hour

-Dave

-Original Message-
From: Don Guyer [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


David,

We use similar methodology for our DR tests, by keeping a laptop
running as a DC on our live network, then transferring FSMO roles at the DR
site. This has worked flawlessly for us. We are now looking to be able to
restore our AD evironment to a totally different server. Problem is, when we
do DR testing we usually get Compaq hardware, whereas we are a Dell shop
here.

Don Guyer
IS Dept
Citadel FCU
Ph: 610.380.7072
Fax: 610.380.7008
[EMAIL PROTECTED]


-Original Message-
From: Chianese, David P. [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Disaster recovery scenario comments requested.


All, 

I want to run this DR situation by the group and see if anyone else can
identify any gotcha's in the process.  We are currently testing out a DR
scenario that involves off-site Domain controllers at a recovery center.
During normal operations the DR DC's are linked to our network via  VPN and
fractional T1 line in order for replication to occur.  When we declare a DR
test or go into a live DR situation where one of our sites becomes
unavailable for an extended period of time due to an outage, network issue
or terrorist incident (remember 9/11?) we bring the DR site up, seize the
PDC emulator roll (to add workstations, accounts and perform other urgent
replication) and let our clients continue operations in all of our remote
locations with little interruption of service.

Now, here is the hard part.  when DR is over we disconnect the DR DC from
the wire and delpart.exe (format/fdisk for ntfs) all of the partitions.  The
site that was down is then restored and the PDC emulator roll is back to its
original state.  We then take the DR DC and apply a ghosted image of the
server as it was when it was first dcpromo'd and let it catch up on
replication.  This so far has worked flawlessly in the lab.  We avoid doing
the metadata cleanup of the server since nothing has really changed on the
DR DC as it was re-imaged previous to the PDC emulator roll seizure.  Our
lab environment is a fraction of the capacity of our Production and not as
complex.  Can anyone see any problems arising down the road by doing a DR
process like this?

The other option planned is to already have the workstations and DR
environments created in a separate OU so that in a DR situation we just need
to let the site that is disconnected stay disconnected and then catch up on
replication when it comes back.  This is my preferred method of how to
handle our DR woes, but unfortunately we are not there yet.  I am only
looking for feedback or you to play devil's advocate on the above situation
we currently have in place.  Thank you in advance for your comments.


Regards, 


David Chianese
Senior Engineer
IT - Server Services
Delaware Investments
  *Powered By Research
A Member of the Lincoln Financial Group


This e-mail and any accompanying attachments are confidential.  The
information is intended solely for the use of the individual to whom it is
addressed.  Any review, disclosure, copying, distribution, or use of this
e-mail communication by others is strictly prohibited.  If you are not the
intended recipient, please notify us immediately by returning this message
to the sender and delete all copies.  Thank you for your cooperation.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any accompanying attachments are confidential.  The information is 
intended solely for the use of the individual to whom it is addressed.  Any review, 
disclosure, copying, distribution, or use of this e-mail communication by others is 
strictly prohibited.  If you are not the intended recipient, please notify us 
immediately by returning this message to the sender and delete all copies.  Thank you 
for your cooperation.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Rick Kingslan]

Joe, David, all - 

Interestingly, we've been looking at exactly the same thing, due to our
remote site environment and network infrastructure, we could use any remote
as a DR site.  Given this, there is some level of non-consistent hardware in
the remote sites and we needed a solution that would allow a majority of
core business resumption is the shortest time.

VMWare or some 'virtual server' technology clearly is at the forefront of
our thoughts.  It simply means that a quick install or startup of the
services associated with the VM and the 'import', if you will, of the image
created at a timely period CAN be the best possible recovery.  At the worst,
it will give you the needed time to recover systems that one might consider
more traditional and would be used for on-going long term business.  At the
best, it might provide a model that could transform some systems to a
different model, as the actual running of the systems for business
resumption provide a 'trial-by-fire' proof that VM servers are viable
alternatives for some functions.

However, our testing continues - and it's interesting to hear the opinions
and reactions of those who are confused by the fact that it is possible to
run multiple servers on one physical machine.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Friday, August 08, 2003 10:47 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.

Actually VMWare or more likely Virtual Server are what we are *starting* to
look at for a DR system. Basically the idea is to have a couple of nice
sized Physical Servers running multiple virtual servers that are domain
controllers for all Domains in the Forest. Every night one of the P-Servers
shuts down all of the Virtuals and copies off the disk images to some other
location for backup to tape. The next night the other P-Server does it. 

The beauty of this solution is that physical hardware becomes a lot less
important for your DR site or your test lab (yes you could bring these
images back up in a *segragated* test lab for testing of your production AD
and data...). You simply load up your server and then install your
virtualization software and then fire up your images and you are off to the
races... 

We actually just got the hardware in for this, which we will use to develop
the solution against the test environment and then once comfortable with it
will go prod with it. 

Personally I think this is about the most flexible and safe DR solution you
can have. I am not one for restoring AD from system state dumps. 

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chianese, David P.
Sent: Friday, August 08, 2003 7:04 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


That would obviously kill the ghost image idea. I do however like the laptop
and more graceful way of transferring roles at the DR site.  I think I
hear the chimes of VMWare ESX Server calling.  Thanks for the feedback Don.
I see another idea in my head now too.  Alas, it's Friday and I'm late for
Happy Hour

-Dave

-Original Message-
From: Don Guyer [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 5:12 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.


David,

We use similar methodology for our DR tests, by keeping a laptop
running as a DC on our live network, then transferring FSMO roles at the DR
site. This has worked flawlessly for us. We are now looking to be able to
restore our AD evironment to a totally different server. Problem is, when we
do DR testing we usually get Compaq hardware, whereas we are a Dell shop
here.

Don Guyer
IS Dept
Citadel FCU
Ph: 610.380.7072
Fax: 610.380.7008
[EMAIL PROTECTED]


-Original Message-
From: Chianese, David P. [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 1:17 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Disaster recovery scenario comments requested.


All, 

I want to run this DR situation by the group and see if anyone else can
identify any gotcha's in the process.  We are currently testing out a DR
scenario that involves off-site Domain controllers at a recovery center.
During normal operations the DR DC's are linked to our network via  VPN and
fractional T1 line in order for replication to occur.  When we declare a DR
test or go into a live DR situation where one of our sites becomes
unavailable for an extended period of time due to an outage, network issue
or terrorist incident (remember 9/11?) we bring the DR site up, seize the
PDC emulator roll (to add workstations, accounts and perform other urgent
replication) and let our clients continue operations in all of our remote
locations with little interruption

RE: [ActiveDir] Disaster recovery scenario comments requested.

[Myrick, Todd (NIH/CIT)]

.  

Troubleshooting

Troubleshooting is more a tactical skill now a day.  It used to be a
operations skill, but with so many functions that need to be managed, you
can't rely on the same tech's to plan and troubleshoot the technology to
also maintain them.  Something has to give.  To be a good troubleshooter you
need to know network, hardware, OS, and ultimately application
troubleshooting.  You have to know your own abilities, be willing to grow,
think differently, research, test, and ultimately execute.  Also you can't
plan for things you can see.  A good reporting package is a must.  Bindview
Control has good reporting tools for both Exchange and also security.
Aelita In-trust is also another good utility.  Quest also has a pretty good
tool for interactive troubleshooting called Spotlight.  It is like perfmon
on steroids.  Also proactive Monitoring is a must.  MOM, or NetIQ's
appmanager are good tools to monitor your environment with.  Mom is more
event driven and can fire off resolutions.  Appmanager is more historic
information gathering.  It is basically good to tell you something broke,
and then allows you to research the historic information.  

Troubleshooting Exchange can be a challenge, because most of the problems
come from the client side.  You need to be able to collect data from a
client perspective and the server's perspective, see what systems are in
between and determine if it is a network bottleneck, or a hardware
bottleneck.  Knowing the protocols, how they act, and how they act when
there is problems, is a very important thing to understand.  Also
understanding quirks of the systems and software is also good knowledge.
Documentation and contacts are also a valuable tool.  I highly recommend
that you look at Chris Wolf's newest book, Troubleshooting Microsoft
Technologies for further information.  He is also working on a book for
Enterprise troubleshooting.  

Conclusion

I have been in 7 disasters in my lifetime.  I used to work at a hospital as
an orderly; train wrecks, blizzards, and patient's coding taught me that you
have to work together in order to protect and heal people.  In IT, I was a
veteran of I Love You, Several Data Disasters, 9/11 and most recently SQL
Slammer.  What is interesting is that SQL slammer was actually the worst
disaster I ran into, probably because it involved the most managers, and not
a team.  It got way too political.

As you can see, DR for exchange sometimes only shows you the tip of the
iceberg.  I hope my sharing information to you all is helpful.

Please tell me what you think, I am always open to critical review.

Toddler
  


-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Sunday, August 10, 2003 12:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Disaster recovery scenario comments requested.

Jan,

Do you know if they have published a paper or some detail on this process?
Naturally, I'm interested in what they are proposing.

Currently, their full-fledged technical document is slated for March 2004,
which, IMHO, is way too late.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jan Wilson
Sent: Sunday, August 10, 2003 10:56 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Disaster recovery scenario comments requested.


Just as an aside here - MS of course displayed their VM server at tech ed -
one nice idea was DR for Exchange 2003 - you would basically generate a new
email server in minutes on a VM - users are then back online and you then
begin to backfill their email from tape.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/