RE: [ActiveDir] AD Restore Problem
However, as we have discussed her MANY, MANY times - it might not be SUPPORTED. That simply means that PSS is only going to give best effort. They are NOT going to tell you: Sorry - not supported. click If they do - let me know. I'll love taking that one to the brass. As we know - DCs work quite well virtualized today, thank you very much. Rick [msft, too] P.S. The 'not supported' thing goes for most anything that you can dream up. Believe me - PSS will try to solve nearly anything. They might laugh - but they will try. And, gladly take your $245.00, or whatever per incident is on your given current supported on not supported pain. -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Restore Problem
on my website for my tools - http://www.joeware.net/win/free/warranty.htm joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, October 08, 2005 2:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem However, as we have discussed her MANY, MANY times - it might not be SUPPORTED. That simply means that PSS is only going to give best effort. They are NOT going to tell you: Sorry - not supported. click If they do - let me know. I'll love taking that one to the brass. As we know - DCs work quite well virtualized today, thank you very much. Rick [msft, too] P.S. The 'not supported' thing goes for most anything that you can dream up. Believe me - PSS will try to solve nearly anything. They might laugh - but they will try. And, gladly take your $245.00, or whatever per incident is on your given current supported on not supported pain. -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Restore Problem
Not being flippant at all E-mail is so coarse sometimes. I just wanted to make sure we are all on the same page. There seems to be much controversy, even on the Microsoft site as to whats supported and what is not. David Chianese -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Thursday, October 06, 2005 5:26 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem Not at all. Read the post I actually replied to carefully, I was - rather flippantly I admit - correcting the same misunderstanding that you're presuming to correct me on. -Original Message- From: [EMAIL PROTECTED] on behalf of CHIANESE, DAVID Sent: Thu 06/10/2005 21:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem Now your comparing apples to oranges... Virtual PC is not the same as Virtual Server. The beginning of the thread refers to Virtual Server and VmWare, both let you create virtual machines. Virtual server from Microsoft DOES support running servers in production: http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6Bdisplaylang=en snip Running domain controllers in virtual machines is best suited for test and pre-production piloting environments. With strict adherence to the requirements described in this document, domain controllers running in virtual machines can also be used in a production environment. /snip Straight from M$. VmWare also allows you to run a virtual machine in production. They were ahead of the virtualization curve and M$ so naturally M$ will Not support virtualized servers not using their own Virtual Server product. I happen to be a fan of VmWare as they are not OS centric to the Microsoft platform but support any OS platform. It is also a more mature product with many more features and capabilities than Virtual Server from Microsoft. Regards, David Chianese -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Thursday, October 06, 2005 2:40 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem Running a production server in Virtual PC isn't supported, Period. -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 06/10/2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem What is not supported is an image restored and running in a Virtual PC. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 06 October 2005 16:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4 209- 8ed2-e261a117fc6b http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3- 4209 -8ed2-e261a117fc6bdisplaylang=en displaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file
RE: [ActiveDir] AD Restore Problem
If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID Sent: Wednesday, October 05, 2005 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem I should clarify we don't actually use a laptop anymore as we have a HOT DR site defined and replicating live to Sungard. Basically we have a vmware server in the DR site and replicate from that. It greatly reduces post DR test administration in that we can revert back to the machine state previous to the test and not worry about metadata clean up. The laptop always served us fine in a DR test with varying hardware at varying DR sites tests. Of course what I forgot to mention is that a good backup tape of your directory should be in the DR kit just in case the laptop comes up corrupt. At least then you can restore vmware to the laptop and then the backup of AD to a vmware DC and go from there. Regards, David Chianese -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem There have been lots of discussions on this list about the perils of imaging DCs and introducing them back into your production environment. Avoid that like the plague. However, since VMWare/Virtual Server abstracts the hardware, it eliminates the restore-to-different-hardware problems. Build a DC on a virtual server and use NTBackup or your favorite 3rd party utility to back up the virtual server just as if it were a physical DC. Load up VMWare/Virtual Server on the alternate hardware and then restore your backup to a guest virtual machine. Besides, relying on a laptop in the DR kit means that you're putting a lot of faith in the laptop's hardware. Dicey proposition, IMO. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID Sent: Wednesday, October 05, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You hit the nail on the head with VmWare. Simply make a vmware laptop and dcpromo it to a DC/GC. Place that laptop in a DR kit offsite. Recall the kit and laptop once every 30 days and plug it into production to allow it to catch up on replication. Place it back in your DR kit and ship it off site. You can now contend with 2 DR scenarios: 1.) A Real DR where a regional or national disaster occurs. 2.) A DR test where you do not want to affect production by seizing FSMO roles, making DNS changes, etc. In a real DR situation, you would simply plug in your DR laptop and build a new Windows server, dcpromo and replicate from the laptop. In fact, if you actually only had a regional outage you would be able to build a new server and replicate with whatever DC(s) were left in production that are reachable. In a test with VMware
Re: [ActiveDir] AD Restore Problem
stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Restore Problem
Brett, My plan for the VMWare images is really for the ultimate DR scenario where I have already lost the entire forest. In this case, I would use the 5 images to completely restart from scratch (god help me ;-). The theroy is that if I shut them down gracefully and then shoot the now closed image file off to tape I would have a much better shot with the image file on different hardware, etc. The images together would be a consistent point in time backup. The images would only be used if we decide that the entire forest is already dead. I have a total of about 190 +/- dedicated DCs for the entire forest. Of those, about 30 of them are spread across three backbone nodes and those 30 are the ones that I send to tape daily (full system state). In the case of losing a given DC (backbone or site level) the SOP is to remove the remnants of the dead DC from the AD, rebuild/replace the server and promote it again. The goal was that I want to have an ace in the hole so I don't orphan 20K clients, 1500 servers and the rest of the AD objects (user accounts, groups, mail info, etc). Have I missed something here??? Thanks Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 06, 2005 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CHIANESE, DAVID Sent: Wednesday, October 05, 2005 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem I should clarify we don't actually use a laptop anymore as we have a HOT DR site defined and replicating live to Sungard. Basically we have a vmware server in the DR site and replicate from that. It greatly reduces post DR test administration in that we can revert back to the machine state previous to the test and not worry about metadata clean up. The laptop always served us fine in a DR test with varying hardware at varying DR sites tests. Of course what I forgot to mention is that a good backup tape of your directory should be in the DR kit just in case the laptop comes up corrupt. At least then you can restore vmware to the laptop and then the backup of AD to a vmware DC and go from there. Regards, David Chianese -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem There have been lots of discussions on this list about the perils of imaging DCs and introducing them back into your production environment. Avoid that like the plague. However, since VMWare/Virtual Server abstracts the hardware, it eliminates the restore-to-different-hardware problems. Build a DC on a virtual server and use NTBackup or your favorite 3rd party utility to back up the virtual server just as if it were a physical DC. Load up VMWare/Virtual Server on the alternate hardware and then restore your backup to a guest virtual machine
RE: [ActiveDir] AD Restore Problem
With Apple Open Directory, you'd have multiple servers running a replica of your Open Directory information. In other words, more than one DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 06 October 2005 15:15 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Restore Problem
That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6bdisplaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alertOkay so unless you are insane SBS.. images of your DCs are ixnay.What does Sun, Linux, Mac or any other competing Server OS do in their worldto ensure the Kingdom easily and quickly comes back up?yeah I knowthey don't have AD but they have to have some competing glue, right? What have they done if anything?How to detect and recover from a USN rollback in Windows Server 2003:http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in aVirtual Server environment is not supported... yet we SBSers have gottenword that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment.Brett Shirley wrote:If you have any replicas of those servers, when you restore those VMWareimages, you will have corrupted your forest during restore. -BrettSh [msft]This posting is provided AS IS with no warranties, and confers norights.On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace inthe hole. The environment is a TLD with 4 child domains. I am planningon running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put thephysical VMWare server and all of the DC virt servers in that site. Noneof the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation inproduction.Once I have them running, I plan to use the VM scripting to gracefullyshut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes Ithen restart the virtual servers.This plays into the different hardware scenario since I can use VMWare to abstract the hardware.Of course, this whole process is the backup to the normal system statebackup of all my backbone DCs.FWIW - Frank From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Wednesday, October 05, 2005 5:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go tohttp://www.mail-archive.com/activedir@mail.activedir.org/ and search forusn rollback. You can get the same information by searchingsupport.microsoft.com, but without the colorful and enlightening commentary that the list provides.HunterList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Restore Problem
Actually, reading your article more closely it doesn't explicitly state DC's are supported in Virtual Server, but it sort of touches on it: Because it is difficult to detect and recover from a USN rollback, we recommend that administrators install hotfix 875495 on all Windows Server 2003 domain controllers, especially those in virtualized hosting environments. The caution that I see in the article is that you can potentially cause a USN rollback using features of Virtual environments (including VS and VMWare). Phil On 10/6/05, Phil Renouf [EMAIL PROTECTED] wrote: That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6bdisplaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alertOkay so unless you are insane SBS.. images of your DCs are ixnay.What does Sun, Linux, Mac or any other competing Server OS do in their worldto ensure the Kingdom easily and quickly comes back up?yeah I knowthey don't have AD but they have to have some competing glue, right? What have they done if anything?How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495That KB is interesting as it clearly indicates that having a DC in aVirtual Server environment is not supported... yet we SBSers have gottenword that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment.Brett Shirley wrote:If you have any replicas of those servers, when you restore those VMWareimages, you will have corrupted your forest during restore. -BrettSh [msft]This posting is provided AS IS with no warranties, and confers norights.On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace inthe hole. The environment is a TLD with 4 child domains. I am planningon running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put thephysical VMWare server and all of the DC virt servers in that site. Noneof the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation inproduction.Once I have them running, I plan to use the VM scripting to gracefullyshut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes Ithen restart the virtual servers.This plays into the different hardware scenario since I can use VMWare to abstract the hardware.Of course, this whole process is the backup to the normal system statebackup of all my backbone DCs.FWIW - Frank From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search forusn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides.HunterList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Restore Problem
You must make sure all 5 DCs for all domains are shutdown together, before taking any of the images. (as they're all replicas of the config NC, being they're in the same forest) And obviously during restore you need to make sure you keep them from talking to (i.e. trying to replicate w/) the existing DCs (b/c it's unrealistic to get 190 disseperate DCs shutdown). There is guidance in the AD forest recovery paper for this. Sooo in my somewhat sleeply state, I see nothing wrong with your method. But do not take me saying I don't see an issue off the top of my head, as any sort of Microsoft buy off. Restating the disclaimer now: This posting is provided AS IS with no warranties, and confers no rights. It's not technically performing any aspect of a stated plan that usually makes me nervous, it's human nature that makes me nervous ... Somewhere on one of the previous USN rollback threads, we discussed this idea, what happens if you (who understand the semantics of this) get hit by a bus, is your procedure well enough documented that a less astute admin would not misunderstand the constraints of your restore system, and make a significant misstep? Human Nature aspect at issue: We disregard rules that don't make immediate sense. One last thing that makes me queasy, is I know what happens in an IT meltdown, esp. in bigger environments, the junior admin on duty, will usually DO ANYTHING to get the server back online. You could come in, in the morning only to discover one of the VM DCs was brought back up from the image, and (I'm sure the quote will go exactly like this) there still seems to be some replication issues, things are not syncing right, but at least we got the server back up!!! Human Nature aspect at issue: Panicing, creates poor choices. You should view putting in place mechanisms to insure against such missteps by your staff, as part of your resposibility as an IT admin. Cheers, -BrettSh [msft] Disclaimer2: Good luck. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: Brett, My plan for the VMWare images is really for the ultimate DR scenario where I have already lost the entire forest. In this case, I would use the 5 images to completely restart from scratch (god help me ;-). The theroy is that if I shut them down gracefully and then shoot the now closed image file off to tape I would have a much better shot with the image file on different hardware, etc. The images together would be a consistent point in time backup. The images would only be used if we decide that the entire forest is already dead. I have a total of about 190 +/- dedicated DCs for the entire forest. Of those, about 30 of them are spread across three backbone nodes and those 30 are the ones that I send to tape daily (full system state). In the case of losing a given DC (backbone or site level) the SOP is to remove the remnants of the dead DC from the AD, rebuild/replace the server and promote it again. The goal was that I want to have an ace in the hole so I don't orphan 20K clients, 1500 servers and the rest of the AD objects (user accounts, groups, mail info, etc). Have I missed something here??? Thanks Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 06, 2005 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE
RE: [ActiveDir] AD Restore Problem
As I read it, The KB cited does NOT say that 'having a DC in a Virtual Server environment is not supported'. In fact, MS has published a paper (http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3- 4209-8ED2-E261A117FC6Bdisplaylang=en) with explicit guidance on how to successfully run DCs on virtual server. The cited KB DOES explain that bringing a backed up virtual DC online to recover from a failure will cause problems (because of the USN rollback issue). As has been pointed out many times on this list, restoring a failed DC from a disk image (Ghost, .vhd file, whatever) is a spectacularly Bad Idea. As I understand it, this is primarily because all DCs track some metadata about the state of the AD NC replicas on their replication partners (the High-Watermark Vector, the Up-To-Date vector, and the GUID of the replica itself, for example). If a failed DC is 'restored' by reviving an old image, the partner DCs will believe the DC is more up-to-date than it really is, and replication will suffer. The hotfix in the cited KB article will protect you somewhat by logging an event and stopping netlogon, but you still need to clean it up. On the other hand, restoring a DC using normal System State restore procedures causes the restored replica to get a new GUID, so it's obvious to the replication partners that they're dealing with a 'different' replica and normal replication can allow it to catch up. So, DC on VS = OK, but restoring a disk image of a DC = BAD. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Restore Problem
Item 2 is kinda the part that I read as saying "uh...you sure you want to do that?" Operations that are not supported include the following: 1. Starting an Active Directory domain controller whose operating system was restored to a hard disk by using an imaging program such as Norton Ghost 2. Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE 3. Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads using previously saved images of the operating system without requiring a system state restoration of Active Directory. Fugleberg, David A wrote: As I read it, The KB cited does NOT say that 'having a DC in a Virtual Server environment is not supported'. In fact, MS has published a paper (http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3- 4209-8ED2-E261A117FC6Bdisplaylang=en) with explicit guidance on how to successfully run DCs on virtual server. The cited KB DOES explain that bringing a backed up virtual DC online to recover from a failure will cause problems (because of the USN rollback issue). As has been pointed out many times on this list, restoring a failed DC from a disk image (Ghost, .vhd file, whatever) is a spectacularly Bad Idea. As I understand it, this is primarily because all DCs track some metadata about the state of the AD NC replicas on their replication partners (the High-Watermark Vector, the Up-To-Date vector, and the GUID of the replica itself, for example). If a failed DC is 'restored' by reviving an old image, the partner DCs will believe the DC is more up-to-date than it really is, and replication will suffer. The hotfix in the cited KB article will protect you somewhat by logging an event and stopping netlogon, but you still need to clean it up. On the other hand, restoring a DC using normal System State restore procedures causes the restored replica to get a new GUID, so it's obvious to the replication partners that they're dealing with a 'different' replica and normal replication can allow it to catch up. So, "DC on VS" = OK, but "restoring a disk image of a DC" = BAD. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR "ace in the hole". The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [A
RE: [ActiveDir] AD Restore Problem
What is not supported is an image restored and running in a Virtual PC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil Renouf Sent: 06 October 2005 16:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6bdisplaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay.What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up?yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Restore Problem
Susan, item #2 is perfectly fine now. You can host your DC on a VS guest and MS will support it. I know you know that that is not the same as SAVING it to a vhd and resuscitating it a month later. That will cause problems like Brett and others have said repeatedly. But, RUNNING your DC on VS is not a bad thing anymore. I run E2K3-SP2 on VS2005-SP1 right now, and it works fine for me. MS will begin to support that, too - not because it works for ME, but because they know that there is no technical limitations that will necessitate not supporting it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thu 10/6/2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem Item 2 is kinda the part that I read as saying uh...you sure you want to do that? Operations that are not supported include the following: 1. Starting an Active Directory domain controller whose operating system was restored to a hard disk by using an imaging program such as Norton Ghost 2. Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE 3. Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads using previously saved images of the operating system without requiring a system state restoration of Active Directory. Fugleberg, David A wrote: As I read it, The KB cited does NOT say that 'having a DC in a Virtual Server environment is not supported'. In fact, MS has published a paper (http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3- 4209-8ED2-E261A117FC6Bdisplaylang=en) with explicit guidance on how to successfully run DCs on virtual server. The cited KB DOES explain that bringing a backed up virtual DC online to recover from a failure will cause problems (because of the USN rollback issue). As has been pointed out many times on this list, restoring a failed DC from a disk image (Ghost, .vhd file, whatever) is a spectacularly Bad Idea. As I understand it, this is primarily because all DCs track some metadata about the state of the AD NC replicas on their replication partners (the High-Watermark Vector, the Up-To-Date vector, and the GUID of the replica itself, for example). If a failed DC is 'restored' by reviving an old image, the partner DCs will believe the DC is more up-to-date than it really is, and replication will suffer. The hotfix in the cited KB article will protect you somewhat by logging an event and stopping netlogon, but you still need to clean it up. On the other hand, restoring a DC using normal System State restore procedures causes the restored replica to get a new GUID, so it's obvious to the replication partners that they're dealing with a 'different' replica and normal replication can allow it to catch up. So, DC on VS = OK, but restoring a disk image of a DC = BAD. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore
RE: [ActiveDir] AD Restore Problem
Running a production server in Virtual PC isn't supported, Period. -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 06/10/2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem What is not supported is an image restored and running in a Virtual PC. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 06 October 2005 16:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209- 8ed2-e261a117fc6b http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209 -8ed2-e261a117fc6bdisplaylang=en displaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Restore Problem
The official word we have is that Exchange 2003 sp2 [when the Standard Exchange will be able to go up to 75 gigs...see EHLO blog for details and planning you should be doing now in a physical environment] will be fully supported in a virtual environment. [There's a KB/support doc on this] ISA is not supported yet...but will be in the future. [EMAIL PROTECTED] wrote: Susan, item #2 is perfectly fine now. You can host your DC on a VS guest and MS will support it. I know you know that that is not the same as SAVING it to a vhd and resuscitating it a month later. That will cause problems like Brett and others have said repeatedly. But, RUNNING your DC on VS is not a bad thing anymore. I run E2K3-SP2 on VS2005-SP1 right now, and it works fine for me. MS will begin to support that, too - not because it works for ME, but because they know that there is no technical limitations that will necessitate not supporting it. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thu 10/6/2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem Item 2 is kinda the part that I read as saying uh...you sure you want to do that? Operations that are not supported include the following: 1. Starting an Active Directory domain controller whose operating system was restored to a hard disk by using an imaging program such as Norton Ghost 2. Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE 3. Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads using previously saved images of the operating system without requiring a system state restoration of Active Directory. Fugleberg, David A wrote: As I read it, The KB cited does NOT say that 'having a DC in a Virtual Server environment is not supported'. In fact, MS has published a paper (http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3- 4209-8ED2-E261A117FC6Bdisplaylang=en) with explicit guidance on how to successfully run DCs on virtual server. The cited KB DOES explain that bringing a backed up virtual DC online to recover from a failure will cause problems (because of the USN rollback issue). As has been pointed out many times on this list, restoring a failed DC from a disk image (Ghost, .vhd file, whatever) is a spectacularly Bad Idea. As I understand it, this is primarily because all DCs track some metadata about the state of the AD NC replicas on their replication partners (the High-Watermark Vector, the Up-To-Date vector, and the GUID of the replica itself, for example). If a failed DC is 'restored' by reviving an old image, the partner DCs will believe the DC is more up-to-date than it really is, and replication will suffer. The hotfix in the cited KB article will protect you somewhat by logging an event and stopping netlogon, but you still need to clean it up. On the other hand, restoring a DC using normal System State restore procedures causes the restored replica to get a new GUID, so it's obvious to the replication partners that they're dealing with a 'different' replica and normal replication can allow it to catch up. So, DC on VS = OK, but restoring a disk image of a DC = BAD. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts
RE: [ActiveDir] AD Restore Problem
Also, the documentation for Windows Server 2003 Service Pack 1 at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/BookofSP1/658a175c-486a-42ee-b3da-9b56de3d187c.mspxstates: Support for running domain controllers in virtual machines On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005, you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines. This platform is well suited for test environments. By using virtual machines, you can effectively host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one physical server that is running a single operating system. Windows Server 2003 SP1 also provides protection against directory corruption that can result from improper backup and restoration of domain controller images. For more information about running domain controllers in virtual machines, see "Running Domain Controllers in Virtual Server 2005" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38330 That document referenced is the same one that Phil mentioned. Regards, Mark. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: 06 October 2005 16:04To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6bdisplaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alertOkay so unless you are insane SBS.. images of your DCs are ixnay.What does Sun, Linux, Mac or any other competing Server OS do in their worldto ensure the Kingdom easily and quickly comes back up?yeah I knowthey don't have AD but they have to have some competing glue, right? What have they done if anything?How to detect and recover from a USN rollback in Windows Server 2003:http://support.microsoft.com/?kbid=875495That KB is interesting as it clearly indicates that having a DC in aVirtual Server environment is not supported... yet we SBSers have gottenword that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment.Brett Shirley wrote:If you have any replicas of those servers, when you restore those VMWareimages, you will have corrupted your forest during restore. -BrettSh [msft]This posting is provided "AS IS" with no warranties, and confers norights.On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR "ace inthe hole". The environment is a TLD with 4 child domains. I am planningon running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put thephysical VMWare server and all of the DC virt servers in that site. Noneof the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation inproduction.Once I have them running, I plan to use the VM scripting to gracefullyshut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes Ithen restart the virtual servers.This plays into the different hardware scenario since I can use VMWare to abstract the hardware.Of course, this whole process is the backup to the normal system statebackup of all my backbone DCs.FWIW - Frank From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Wednesday, October 05, 2005 5:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go tohttp://www.mail-archive.com/activedir@mail.activedir.org/ and search for"usn rollback". You can get the same information by searchingsupport.microsoft.com, but without the colorful and enlightening commentary that the list provides.HunterList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does
Re: [ActiveDir] AD Restore Problem
Windows Server System software not supported within a Microsoft Virtual Server environment: http://support.microsoft.com/?id=897614 Rob MOIR wrote: Running a production server in Virtual PC isn't supported, Period. -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 06/10/2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem What is not supported is an image restored and running in a Virtual PC. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 06 October 2005 16:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209- 8ed2-e261a117fc6b http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209 -8ed2-e261a117fc6bdisplaylang=en displaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Restore Problem
Now your comparing apples to oranges... Virtual PC is not the same as Virtual Server. The beginning of the thread refers to Virtual Server and VmWare, both let you create virtual machines. Virtual server from Microsoft DOES support running servers in production: http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-4 209-8ED2-E261A117FC6Bdisplaylang=en snip Running domain controllers in virtual machines is best suited for test and pre-production piloting environments. With strict adherence to the requirements described in this document, domain controllers running in virtual machines can also be used in a production environment. /snip Straight from M$. VmWare also allows you to run a virtual machine in production. They were ahead of the virtualization curve and M$ so naturally M$ will Not support virtualized servers not using their own Virtual Server product. I happen to be a fan of VmWare as they are not OS centric to the Microsoft platform but support any OS platform. It is also a more mature product with many more features and capabilities than Virtual Server from Microsoft. Regards, David Chianese -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Thursday, October 06, 2005 2:40 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem Running a production server in Virtual PC isn't supported, Period. -Original Message- From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 06/10/2005 18:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem What is not supported is an image restored and running in a Virtual PC. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 06 October 2005 16:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4 209- 8ed2-e261a117fc6b http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3- 4209 -8ed2-e261a117fc6bdisplaylang=en displaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful
Re: [ActiveDir] AD Restore Problem
In multiple years of doing DR drills at an off-site location, I've never had a restore AD to alternate hardware process go anywhere near as smoothly as I'd like. (For anyone who remembers joe's AD Gripes thread, that was one of my big ones.) I've almost always needed to resort to a repair install or an in-place upgrade. A few things that I've had to do to make things work in various situations: * Rip out TCP/IP Winsock and re-install them. (4 pages of reg hacks in 2000, like 3 netsh commands in 2K3.) * Remove all video drivers and NICs before the final reboot to allow PlugPl(r)ay to pick them back up again correctly. * Save the boot.ini, ntldr, ntoskrnl.exe and a few other files from the new hardware -before- restoring, then copy them back on -after- the restore. (repetitive whine I just want to restore the DIT and the log files, for cripes' sake, why can't I just DO that?!?!?!? / repetitive whine) Once you get it back up, make sure that you metadata cleanup, clean up lingering replication objects and then seize all 5 FSMOs. And at the end of the day, once I have the restored box to the point that it's (mostly) working, I'll manually dcpromo a second box up so that it can come up naturally without any lingering dead bodies hiding in the depths of the restored OS. - Laura On 10/5/05, Carerros, Charles [EMAIL PROTECTED] wrote: My DR plan in reality is: If I lose a building that hosts my DCs, I build new DCs and sync off DCs at remote locations (I'm lucky to have DCs placed throughout the US and Canada so I should always have a working DC somewhere to grab the AD databases and then I seize some FSMO roles) and then do a metadata cleanup on the boxes that are sitting under tons of rubble or in the middle of a river, etc. If someone deletes the AD, then I do an authoritative restore using the same hardware that the DC is stored on. The problem I'm facing right now is that we are going to do a DR test at Sunguard and they don't use the same hardware and even though I told everyone we don't do a full restore on a DC unless we have the hardware that the DC was installed upon they still want me to restore a DC from tape. Oh, and we won't have connectivity to any of our offices. I told them it might not be possible but I would do what I can to get it to work. (I have a backup plan which is a VMWare copy of one of my production DCs but it is only in the test phase). In reality I should never had a need for this but for my test DR site I think I will. And I was just wondering if anyone could give me some extra pointers that might help me along. Charlie From: van Donk, Fred [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 05, 2005 12:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem Charlie, A few years ago I worked with PSS on this on Windows 2000. The end result was it will not work due to the fact it is different hardware. Biggest problems were SCSI controllers and Video Drivers we worked on it for a solid week straight. The real question is why do you want to move? Why would you not create a DC on the new box and demote the old box? Just make sure you have a DC somewhere in your network the hurricane will not take it out. :-) Fred From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, October 05, 2005 9:05 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] AD Restore Problem I'm having a problem restoring my AD to different hardware. I know there are some issues but I hear that people have been able to follow some MS docs and get it done but I can't seem to pull it off. I working with a HP server to Dell hardware and in the next week I will be going from HP to Compaq at our DR test site and I kinda need to get this working. I have included my documentation on how to do this DR restore below and they are the steps that I went through and when I got to the end I still get the blue screen and reboot. Can someone tell me where I'm going wrong? We are running W2K3 fully patched with the exception of SP1. DCs are all GCs, DNS and WINS servers. Thanks, Charlie Active Directory Disaster Recovery Company Name April 18, 2005, Revision 4 The ability to recover from a catastrophic disaster is one of the goals of the Network Team. With Active Directory quickly becoming the core technology for items such as e-mail, Citrix and local workstation security, it is imperative that in the case of a disaster a quick recovery can be had. This process will outline the non-authoritative active directory restore process. [The authoritative process is used to restore a portion of the Active Directory while leaving parts intact.] Resources: To conduct a successful restore you must have the correct toolset. In conducting restores the following items must be had
