RE: [ActiveDir] A bad bad thing...Manual push of AD?
Okay just a quick scenario.. If the deletion has been replicated (I'm fat, running to the nearest DC would be a pain :) Would adrestore.exe does the job of restoring all these objects? Although as far as I know when object is deleted and still within tombstoned period, lots of attributes are not stored and cannot be retrieved back - but.. will it work? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 12, 2005 7:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: hopefully you have another Win2003 DC with SP1 = a non-SP1 2003 DC would require you to perform more manual steps during the restore. As you're still in mixed mode, none of your links are LVR (which means they won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) 1. so boot another SP1 DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object = with SP1, this step will create an LDIF file that will allow to restore the groups etc. it will be called ar_date-time_links_fully.qualified.domain.name.ldf (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain something similar to this: dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - If you have multiple domain, you may get more than one file (depends on group-memberships of user and if you are doing the auth restore on a DC or GC - you should choose a GC if you have more than one domain). All you need to do after reboot is take that file and execute an LDIF import command (on a DC that corresponds to the file's domain): Ldifde -i -k -f ar_date-time_links_fully.qualified.domain.name.ldf e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Freitag, 12. August 2005 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Title: RE: [ActiveDir] A bad bad thing...Manual push of AD? Sure, but I should have written, ... one object at a time would be free. A little different from only one object. :) Seems a lot more attractive than going through a drawn out process using ntdsutil with all the potential pitfalls. From: [EMAIL PROTECTED] on behalf of Rick KingslanSent: Thu 8/11/2005 6:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Best of all for one object it would be free. Huh. Nice to know. Thanks, Bob. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert BobelSent: Thursday, August 11, 2005 4:34 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Ok, so sorry in advance for the productplug... Quest hastwo products called Recovery Manager for both AD and for Exchange you could download them and recover the user with the demo license. You would only need to do a Windows backup on a DC where delete has not yet been replicated. This will recover the group memberships etc... Best of all for one object it would be free. Bob From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 8/11/2005 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? it'll try - but as the version of the tombstone object will then belower than that of the auth. restored object, the local change on thedeleted object itself will simply be disregarded and the object +attributes restored (read: they will be overwritten by the auth.restored object which have a higher version number).but the main point Brett is also making seems to be ignored in the restof this thread = although we still don't know Shadow Roldan's OSversion, the probability is somewhat high that he's not using Win2003SP1 (maybe not even any non-SP1 Win2003), which means that he has totake special care of the links that the deleted object was linked to(read: mainly the group-memberships he had).Depending on the version of the DC OS, these won't be restored on theunplugged DC (Win2000 won't help you at all, Win2003 would revive thelinks if they were LVR links, Win2003 SP1 will also get the non-LVRlinks back and write them to an ldif file so that you can restore thelinks by importing the ldif file)./Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rick KingslanSent: Donnerstag, 11. August 2005 22:10To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD?Brett,How is this going to help him get the DC back online that he yanked thecable on? As soon as that system is plugged back in, it's going to reploutthe change, no?Rick-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Brett ShirleySent: Thursday, August 11, 2005 1:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] A bad bad thing...Manual push of AD?Well you're lucky that you yanked the network cable in time, now youdon'thave to do a system state restore to get the user back ...Find a DC where the user still exists in a pristine condition, all themailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Usentdsutil.exe to auth restore just that user's object.You may (probably will) also have to restore links to that user, at thispoint it'd be nice if you were running on Win2k3 SP1, but if not it isstill accomplishable.For Win2k3 Sp1, after auth restoring the user, there should be some ldffile(s) that will allow you to restore the links. Simply use ldifde, toapply these files to the appropriate DCs (up to one ldf per domain).For pre this latest generation (which is more likely, because you couldyank the net cable in time), you may have to find the objects that arelinked to the user, and restore them yourself. You can do this byperforming an LDAP operation that deletes and re-sets the links to thatuser.BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001Cheers,BrettShThis posting is provided "AS IS" with no warranties, and confers norights.On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room andyanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want thosechanges to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList ar
Re: [ActiveDir] A bad bad thing...Manual push of AD?
Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Is this machine JUST a DC? If so, (without going out and having to buy a 3rd party piece of software) you can whack it and rebuild. You'll have to do the MetaDirectory cleanup for a DC removed from a domain improperly. If that's not feasible, when was your last system state backup? You can go into DSRM and initiate a non-authoritative restore. Follow this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3bfb611-dcbe-4365-8f1d-3321916aeb63.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Thursday, August 11, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A bad bad thing...Manual push of AD? So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete operation will essentially be tossed. I mean this is the whole attraction to hot sites is it not? Am I missing something? Cheers, BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
it'll try - but as the version of the tombstone object will then be lower than that of the auth. restored object, the local change on the deleted object itself will simply be disregarded and the object + attributes restored (read: they will be overwritten by the auth. restored object which have a higher version number). but the main point Brett is also making seems to be ignored in the rest of this thread = although we still don't know Shadow Roldan's OS version, the probability is somewhat high that he's not using Win2003 SP1 (maybe not even any non-SP1 Win2003), which means that he has to take special care of the links that the deleted object was linked to (read: mainly the group-memberships he had). Depending on the version of the DC OS, these won't be restored on the unplugged DC (Win2000 won't help you at all, Win2003 would revive the links if they were LVR links, Win2003 SP1 will also get the non-LVR links back and write them to an ldif file so that you can restore the links by importing the ldif file). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Donnerstag, 11. August 2005 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Title: RE: [ActiveDir] A bad bad thing...Manual push of AD? Ok, so sorry in advance for the productplug... Quest hastwo products called Recovery Manager for both AD and for Exchange you could download them and recover the user with the demo license. You would only need to do a Windows backup on a DC where delete has not yet been replicated. This will recover the group memberships etc... Best of all for one object it would be free. Bob From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 8/11/2005 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? it'll try - but as the version of the tombstone object will then belower than that of the auth. restored object, the local change on thedeleted object itself will simply be disregarded and the object +attributes restored (read: they will be overwritten by the auth.restored object which have a higher version number).but the main point Brett is also making seems to be ignored in the restof this thread = although we still don't know Shadow Roldan's OSversion, the probability is somewhat high that he's not using Win2003SP1 (maybe not even any non-SP1 Win2003), which means that he has totake special care of the links that the deleted object was linked to(read: mainly the group-memberships he had).Depending on the version of the DC OS, these won't be restored on theunplugged DC (Win2000 won't help you at all, Win2003 would revive thelinks if they were LVR links, Win2003 SP1 will also get the non-LVRlinks back and write them to an ldif file so that you can restore thelinks by importing the ldif file)./Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rick KingslanSent: Donnerstag, 11. August 2005 22:10To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD?Brett,How is this going to help him get the DC back online that he yanked thecable on? As soon as that system is plugged back in, it's going to reploutthe change, no?Rick-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Brett ShirleySent: Thursday, August 11, 2005 1:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] A bad bad thing...Manual push of AD?Well you're lucky that you yanked the network cable in time, now youdon'thave to do a system state restore to get the user back ...Find a DC where the user still exists in a pristine condition, all themailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Usentdsutil.exe to auth restore just that user's object.You may (probably will) also have to restore links to that user, at thispoint it'd be nice if you were running on Win2k3 SP1, but if not it isstill accomplishable.For Win2k3 Sp1, after auth restoring the user, there should be some ldffile(s) that will allow you to restore the links. Simply use ldifde, toapply these files to the appropriate DCs (up to one ldf per domain).For pre this latest generation (which is more likely, because you couldyank the net cable in time), you may have to find the objects that arelinked to the user, and restore them yourself. You can do this byperforming an LDAP operation that deletes and re-sets the links to thatuser.BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001Cheers,BrettShThis posting is provided "AS IS" with no warranties, and confers norights.On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room andyanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want thosechanges to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Title: RE: [ActiveDir] A bad bad thing...Manual push of AD? Best of all for one object it would be free. Huh. Nice to know. Thanks, Bob. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bobel Sent: Thursday, August 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Ok, so sorry in advance for the productplug... Quest hastwo products called Recovery Manager for both AD and for Exchange you could download them and recover the user with the demo license. You would only need to do a Windows backup on a DC where delete has not yet been replicated. This will recover the group memberships etc... Best of all for one object it would be free. Bob From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 8/11/2005 4:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? it'll try - but as the version of the tombstone object will then be lower than that of the auth. restored object, the local change on the deleted object itself will simply be disregarded and the object + attributes restored (read: they will be overwritten by the auth. restored object which have a higher version number). but the main point Brett is also making seems to be ignored in the rest of this thread = although we still don't know Shadow Roldan's OS version, the probability is somewhat high that he's not using Win2003 SP1 (maybe not even any non-SP1 Win2003), which means that he has to take special care of the links that the deleted object was linked to (read: mainly the group-memberships he had). Depending on the version of the DC OS, these won't be restored on the unplugged DC (Win2000 won't help you at all, Win2003 would revive the links if they were LVR links, Win2003 SP1 will also get the non-LVR links back and write them to an ldif file so that you can restore the links by importing the ldif file). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Kingslan Sent: Donnerstag, 11. August 2005 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] A bad bad thing...Manual push of AD?
I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete operation will essentially be tossed. I mean this is the whole attraction to hot sites is it not? Am I missing something? Cheers, BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? The USN never resolves replication conflicts, only tells us WHAT to replicate, never WHAT should win. The version is the opposite, it never tells us what we need to replicate, only who should win in case of a conflict ... During auth restore the version is incremented by 10 (per day old the backup is), and the USN is simply allocated from the next available USN (i.e. it is only guaranteed to be at least 1 higher than the last USN, but more likely there is just some random number of USNs in between, so it jumps by some amount ...). Cheers, -BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Title: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hey All thanks for all the feedback I'm going to try to wrap my brain around your suggestions and get back to you with the results To answer your questions, the DC (and it was a DC only) is running win2k3 sp1, The entire enterprise is mixed 2000/2k3 You guys really are AD rockstars, rock on S From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, August 11, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Best of all for one object it would be free. Huh. Nice to know. Thanks, Bob. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert BobelSent: Thursday, August 11, 2005 4:34 PMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Ok, so sorry in advance for the productplug... Quest hastwo products called Recovery Manager for both AD and for Exchange you could download them and recover the user with the demo license. You would only need to do a Windows backup on a DC where delete has not yet been replicated. This will recover the group memberships etc... Best of all for one object it would be free. Bob From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 8/11/2005 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD? it'll try - but as the version of the tombstone object will then belower than that of the auth. restored object, the local change on thedeleted object itself will simply be disregarded and the object +attributes restored (read: they will be overwritten by the auth.restored object which have a higher version number).but the main point Brett is also making seems to be ignored in the restof this thread = although we still don't know Shadow Roldan's OSversion, the probability is somewhat high that he's not using Win2003SP1 (maybe not even any non-SP1 Win2003), which means that he has totake special care of the links that the deleted object was linked to(read: mainly the group-memberships he had).Depending on the version of the DC OS, these won't be restored on theunplugged DC (Win2000 won't help you at all, Win2003 would revive thelinks if they were LVR links, Win2003 SP1 will also get the non-LVRlinks back and write them to an ldif file so that you can restore thelinks by importing the ldif file)./Guido-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rick KingslanSent: Donnerstag, 11. August 2005 22:10To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] A bad bad thing...Manual push of AD?Brett,How is this going to help him get the DC back online that he yanked thecable on? As soon as that system is plugged back in, it's going to reploutthe change, no?Rick-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Brett ShirleySent: Thursday, August 11, 2005 1:54 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] A bad bad thing...Manual push of AD?Well you're lucky that you yanked the network cable in time, now youdon'thave to do a system state restore to get the user back ...Find a DC where the user still exists in a pristine condition, all themailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Usentdsutil.exe to auth restore just that user's object.You may (probably will) also have to restore links to that user, at thispoint it'd be nice if you were running on Win2k3 SP1, but if not it isstill accomplishable.For Win2k3 Sp1, after auth restoring the user, there should be some ldffile(s) that will allow you to restore the links. Simply use ldifde, toapply these files to the appropriate DCs (up to one ldf per domain).For pre this latest generation (which is more likely, because you couldyank the net cable in time), you may have to find the objects that arelinked to the user, and restore them yourself. You can do this byperforming an LDAP operation that deletes and re-sets the links to thatuser.BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001Cheers,BrettShThis posting is provided "AS IS" with no warranties, and confers norights.On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room andyanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want thosechanges to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List i
RE: [ActiveDir] A bad bad thing...Manual push of AD?
OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete operation will essentially be tossed. I mean this is the whole attraction to hot sites is it not? Am I missing something? Cheers, BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org
RE: [ActiveDir] A bad bad thing...Manual push of AD?
gee Brett - so Jorge and I are no one... ;-) you have to forgive Rick - he's just never had to restore an object ;-)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Freitag, 12. August 2005 01:22 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? The USN never resolves replication conflicts, only tells us WHAT to replicate, never WHAT should win. The version is the opposite, it never tells us what we need to replicate, only who should win in case of a conflict ... During auth restore the version is incremented by 10 (per day old the backup is), and the USN is simply allocated from the next available USN (i.e. it is only guaranteed to be at least 1 higher than the last USN, but more likely there is just some random number of USNs in between, so it jumps by some amount ...). Cheers, -BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys
RE: [ActiveDir] A bad bad thing...Manual push of AD?
NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? :o) You know - I really don't know why. I know the difference, and I continually make that mistake. I can bet, too, that if I go back through any number of books, news posts, documents written by other folks - I'm fairly certain that I can find the mistake made again and again. In fact - I have to go take a look at MOC. I THINK that they have it wrong as well. I'll point it out to Internal if that, is in fact, the case. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? The USN never resolves replication conflicts, only tells us WHAT to replicate, never WHAT should win. The version is the opposite, it never tells us what we need to replicate, only who should win in case of a conflict ... During auth restore the version is incremented by 10 (per day old the backup is), and the USN is simply allocated from the next available USN (i.e. it is only guaranteed to be at least 1 higher than the last USN, but more likely there is just some random number of USNs in between, so it jumps by some amount ...). Cheers, -BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad
RE: [ActiveDir] A bad bad thing...Manual push of AD?
hopefully you have another Win2003 DC with SP1 = a non-SP1 2003 DC would require you to perform more manual steps during the restore. As you're still in mixed mode, none of your links are LVR (which means they won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) 1. so boot another SP1 DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object = with SP1, this step will create an LDIF file that will allow to restore the groups etc. it will be called ar_date-time_links_fully.qualified.domain.name.ldf (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain something similar to this: dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - If you have multiple domain, you may get more than one file (depends on group-memberships of user and if you are doing the auth restore on a DC or GC - you should choose a GC if you have more than one domain). All you need to do after reboot is take that file and execute an LDIF import command (on a DC that corresponds to the file's domain): Ldifde -i -k -f ar_date-time_links_fully.qualified.domain.name.ldf e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Freitag, 12. August 2005 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete operation will essentially be tossed. I mean this is the whole attraction to hot sites is it not? Am I missing something? Cheers, BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde
RE: [ActiveDir] A bad bad thing...Manual push of AD?
the whitepaper I'm working on with NetPro for AD recovery also contains those steps ;-) we should clarify thatfor most other situations you do need to wait for the auth restore to replicated out, otherwise the group-adds (or other links) won't succeed in the other domains if you have any. In this case the tombstone hadn't replicated out so that the object already exists on all DCs. step 3.1 - reboot that original DC containing the tombstone on which the NW plug was pulled -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Freitag, 12. August 2005 02:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: hopefully you have another Win2003 DC with SP1 = a non-SP1 2003 DC would require you to perform more manual steps during the restore. As you're still in mixed mode, none of your links are LVR (which means they won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) 1. so boot another SP1 DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object = with SP1, this step will create an LDIF file that will allow to restore the groups etc. it will be called ar_date-time_links_fully.qualified.domain.name.ldf (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain something similar to this: dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - If you have multiple domain, you may get more than one file (depends on group-memberships of user and if you are doing the auth restore on a DC or GC - you should choose a GC if you have more than one domain). All you need to do after reboot is take that file and execute an LDIF import command (on a DC that corresponds to the file's domain): Ldifde -i -k -f ar_date-time_links_fully.qualified.domain.name.ldf e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Freitag, 12. August 2005 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete operation will essentially be tossed. I mean this is the whole attraction to hot
RE: [ActiveDir] A bad bad thing...Manual push of AD?
why can no one keep the version and the USN straight? Is this something that could be resolved by the issue discussed in ~Eric's blog under the Brett Unplugged - Still no posts category? :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? The USN never resolves replication conflicts, only tells us WHAT to replicate, never WHAT should win. The version is the opposite, it never tells us what we need to replicate, only who should win in case of a conflict ... During auth restore the version is incremented by 10 (per day old the backup is), and the USN is simply allocated from the next available USN (i.e. it is only guaranteed to be at least 1 higher than the last USN, but more likely there is just some random number of USNs in between, so it jumps by some amount ...). Cheers, -BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes
RE: [ActiveDir] A bad bad thing...Manual push of AD?
I figured you'd be all over this one. Step aside everyone, there's a DR question and Guido's on his way! :0) just teasing me ol' mate -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, August 11, 2005 7:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? the whitepaper I'm working on with NetPro for AD recovery also contains those steps ;-) we should clarify thatfor most other situations you do need to wait for the auth restore to replicated out, otherwise the group-adds (or other links) won't succeed in the other domains if you have any. In this case the tombstone hadn't replicated out so that the object already exists on all DCs. step 3.1 - reboot that original DC containing the tombstone on which the NW plug was pulled -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Freitag, 12. August 2005 02:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: hopefully you have another Win2003 DC with SP1 = a non-SP1 2003 DC would require you to perform more manual steps during the restore. As you're still in mixed mode, none of your links are LVR (which means they won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) 1. so boot another SP1 DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object = with SP1, this step will create an LDIF file that will allow to restore the groups etc. it will be called ar_date-time_links_fully.qualified.domain.name.ldf (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain something similar to this: dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - If you have multiple domain, you may get more than one file (depends on group-memberships of user and if you are doing the auth restore on a DC or GC - you should choose a GC if you have more than one domain). All you need to do after reboot is take that file and execute an LDIF import command (on a DC that corresponds to the file's domain): Ldifde -i -k -f ar_date-time_links_fully.qualified.domain.name.ldf e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Freitag, 12. August 2005 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org