Re: RE : Re: RE : RE: [ActiveDir] backup and restore AD.
I don't know what Brett would do (is that a bracelet idea?) but personally if given the opportunity, I would have chosen to a) figure out why the failure of one disk in a RAID 5 set didn't allow for continuous operation b) fix that issue so that it never happens again (suspect disk cache, raid bios, etc) and c) flatten and repromote the new server vs. restoring the database. Why? Because it's faster, safer, cleaner and a better use of your time to do it that way. Restoring the server takes time and a lot of manual steps. Manual steps are in direct contradication to reliability because they introduce opportunity for error and judgement. Or vice-versa; I never remember which comes first. Anyway, while you can do restores, and there are times when that's the best answer, I don't believe this is one of them. At best, you have to restore and play through the last logs as well as backfill any other changes that occurred during the outage. Why yours broke over the loss of one drive in a raid set is cause for me to be concerned and not want to place that server back in service as is but rather I'd prefer to rebuild it from the ground up so that I know it's in a known state. With AD you have that option in most cases. Al On 8/19/06, Yann <[EMAIL PROTECTED]> wrote: Hello Brett, The pb was that one disk in my raid5 was corrupted. So i changed the disk and i checked that my raid 5 was OK via dell open manager.But when restarting the DC,it shows a windows popup stated an error in lssass.exe and that i have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !! When logging in dsrm mode, there was only the ntds.dit and the Edb*.log only, no edb.chk !! So i restored system state but when the restore finished, there was no still edb.chk created in dsrm mode: a sematic checker shows a jet error stated that no transaction logs was found. So i had 2 options: 1) restore ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log from my last full backup. This backup was done 5 days ago. 2) and i last force a demotion via ntdsutil and delete all dns registrations,frs subscriptions, ad objects that points to this DC. So i choose 1) and that works fine I was lucky !! Brett, is there any MS documentations stated that this type of "dirty" restoration is unsupported ? I have not found any clue in ms technet. And in my situation, what would you have done ? Would the 2) be the best and supported solution than 1) ? Thanks for advice. Yann Brett Shirley <[EMAIL PROTECTED]> a écrit : BTW, if you have snapshot based backup you _can_ backup and just restoreonly the AD data (dit, log, and chk), and it will work w/o USN rollbackcorrectly. We used to run quick tests like that all the time, but ONLY validated that the DS / AD didn't break. That doesn't make it supported. BTW, it is in fact _not supported_.There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,AuthZ, etc ... just about anything DS or security related) that may have a dependency on some random part of AD and some random part of Registry datastaying in sync ... we don't know what breaks when you restore one w/o theother ... this is why it is unsupported ... and almost completely untested ... but why let that dissuade you, you're a pioneer right. ;)The most obvious case of this, would be if you restored a DIT from onedomain, to the DIT folder for a DC in another domain, replacing it's DIT. Would that work, almost guaranteed there would be security issues. That's of course the extreme case, and one easy to avoid, we don't knowthe inbetween cases.Cheers,-BrettSh [msft]On Fri, 18 Aug 2006, Yann wrote: > Hello Jorge,> > Thanks for clarification.> I will check next week if i have no issues with usn rollback :( . > > Yann> > "Almeida Pinto, Jorge de" a écrit : > when a DC is restored from the system state (amongst others):> * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master > * the invocation ID of the AD DB is changed (which prevent USN rollbacks)> > so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gentlyNOT SUPPORTED! ;-) > And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info> > jorge> > > - > From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Yann> Sent: Tuesday, August 08, 2006 22:47> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] backup and restore AD.> > > > Hello,> > I had question about D backup & restore.> It is possible to backup AD in 2 ways: > 1) backup only the system state.> 2) backup system state & file system containing the AD working directory (ntds.dit, ed
RE : Re: RE : RE: [ActiveDir] backup and restore AD.
Hello Brett, The pb was that one disk in my raid5 was corrupted. So i changed the disk and i checked that my raid 5 was OK via dell open manager.But when restarting the DC,it shows a windows popup stated an error in lssass.exe and that i have to boot in dsrm mode. When i clicked ok , my DC reboots again and that scenario never ends up untill i boot in dsrm mode !! When logging in dsrm mode, there was only the ntds.dit and the Edb*.log only, no edb.chk !! So i restored system state but when the restore finished, there was no still edb.chk created in dsrm mode: a sematic checker shows a jet error stated that no transaction logs was found. So i had 2 options: 1) restore ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log from my last full backup. This backup was done 5 days ago. 2) and i last force a demotion via ntdsutil and delete all dns registrations,frs subscriptions, ad objects that points to this DC. So i choose 1) and that works fine I was lucky !! Brett, is there any MS documentations stated that this type of "dirty" restoration is unsupported ? I have not found any clue in ms technet. And in my situation, what would you have done ? Would the 2) be the best and supported solution than 1) ? Thanks for advice. Yann Brett Shirley <[EMAIL PROTECTED]> a écrit : BTW, if you have snapshot based backup you _can_ backup and just restoreonly the AD data (dit, log, and chk), and it will work w/o USN rollbackcorrectly. We used to run quick tests like that all the time, but ONLYvalidated that the DS / AD didn't break. That doesn't make it supported. BTW, it is in fact _not supported_.There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM,AuthZ, etc ... just about anything DS or security related) that may have adependency on some random part of AD and some random part of Registry datastaying in sync ... we don't know what breaks when you restore one w/o theother ... this is why it is unsupported ... and almost completely untested... but why let that dissuade you, you're a pioneer right. ;)The most obvious case of this, would be if you restored a DIT from onedomain, to the DIT folder for a DC in another domain, replacing it's DIT. Would that work, almost guaranteed there would be security issues. That's of course the extreme case, and one easy to avoid, we don't knowthe inbetween cases.Cheers,-BrettSh [msft]On Fri, 18 Aug 2006, Yann wrote:> Hello Jorge,> > Thanks for clarification.> I will check next week if i have no issues with usn rollback :( . > > Yann> > "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]>a écrit :> when a DC is restored from the system state (amongst others):> * the restored RID pool is thrown away (invalidated) and a new RID pool is requested at the RID master> * the invocation ID of the AD DB is changed (which prevent USN rollbacks)> > so in your case it works because the backup is not that old. The AD DB is tightly coupled with the registry and there is a reason for that! The reason as why you MUST restore the system state as MS says. The way you are doing that is, how shall I say it gentlyNOT SUPPORTED! ;-)> And I guess you will be hitting on USN Rollback. See my blog and search for BACKUP and you will find an article with some more info> > jorge> > > -> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann> Sent: Tuesday, August 08, 2006 22:47> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] backup and restore AD.> > > > Hello,> > I had question about D backup & restore.> It is possible to backup AD in 2 ways:> 1) backup only the system state.> 2) backup system state & file system containing the AD working directory (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log).> > MS states that u have to restore your AD by restoring the system state.> But ,what about just restoring the AD working directory without system state ? I tested it and that works fine. > So my question is:> => In what circumstances do i have to choose a restore from system state or a restore from AD working directory.> > Thanks for clarification,> > Yann> > > -> Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.> > > > -> Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. List in
