You
have been more than helpful, Scott. Now I just have to convince the domain
admins to do this (we are a single-domain architecture here at Indiana
University, with each campus and department having a separate OU, not
domain).
Thanks
again,
Chris
-----Original Message-----
From: Rachui, Scott [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 7:36 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreWhen a restore is performed usually, the first thing that the restored server does when it comes back online is to synch its directory up (since its copy is presumably older than the copy on the other DCs) with other AD Servers in the domain. If you do a simple restore, all that will happen is that you'll bring back the groups you deleted, bring the server back online and then watch as the other DCs instruct the restored DC to re-delete these groups.The purpose of an authoritative restore is so that you can determine which server has the authoritative copy of the portion of the directory you are restoring. When you perform an authoritative restore, the USNs of the restored objects are significantly incremented so they appear 'authoritative' to other copies of the directory. In this case, the restored groups will be copied to the other AD Servers, rather than a re-delete taking place.You don't need to take any other of your servers offline to restore a single server, and your clients shouldn't notice this as long as they can get to one of the other AD Databases (which happens automatically and doesn't require reconfiguration). If you have multiple Sites and this server is the only AD Server in the local site, you might want to make sure that Site Coverage isn't disabled (you can read about this at Microsoft's website), and that no FSMO roles are on this box (especially the PDC Emulator). If there are FSMO roles on this machine and there are multiple AD Servers in your domain, you might consider transferring the roles (I typically don't do this for anything other than the PDC Emulator unless the machine will be offline for several hours).Once the machine is back up, the only behavior you'll see is replication taking place to synch up the various copies of the directory.-----Original Message-----
From: England, Christopher M [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 7:18 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreDoes this affect other DC's? If they bring one DC down to do this, are the other 2 (or how many ever) still running and ok? And when the restore happens, they would just need to synchronize before they restart the DC they used to restore?Thanks again,Chris-----Original Message-----
From: Rachui, Scott [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 6:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Partial AD RestoreTo restore objects that were accidentally deleted, you'll need to do something called an authoritative restore. It requires that you reboot a domain controller into Directory Services Restore Mode and run an authoritative restore. You can select the specific OU that you'd like to restore, or you can select the entire directory.With AD, a restore is definitely not 'all or nothing', which is a very good thing! Make sure you get familiar with the NTDSUTIL tool as this is the tool you'll be using to run this authoritative restore. Microsoft has some very good white papers on how to do this, including a Disaster Recovery Guide for Active Directory that gives you step-by-step instructions.I hope this helps.Scott-----Original Message-----
From: England, Christopher M [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 6:43 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Partial AD RestoreI did a silly thing and deleted some user groups out of an OU. I am not in charge of the domain, but I have asked the domain admins to attempt to restore those groups. Is this even possible with Active Directory? I have heard that an AD restore is all or nothing. Any info would be great!Chris EnglandSystems AdministratorIndiana University
