Rick, please excuse the whinge borne out of a bit of frustration i am afraid !!
am needing to write procedural documents for what i would regard as a fairly simple task (and given issues we have with allowed run list policy values not unlikely either !!) ie restore of a inadvertantly (or otherwise !) deleted or corrupt GPO not unreasonable to have had functionality equiv to GPMC in win2k ?? duly noted on GPMC - will recommend to deploy as soon as possible without GPMC, it seems there are all sorts of interdependencies on AD objects / SYSVOL file system objects which need to be got right when restoring GPO was looking to seek the views of others on the procedure for this restore say of a single GPO ?? as per my original mail; 1. DS restore mode 2. restore of what sysvol file system directories / system state to original 3. restore (what ?) to alternate location 3. ntdsutil - run authoritative restore (seems only to apply to AD objects) 4. copy certain file system directories (polices / scripts ??) to original location Thanks for your help throughout GT GT ----- Original Message ----- From: "Rick Kingslan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 18, 2003 2:34 PM Subject: RE: [ActiveDir] authoritative GPO restore > Graham, > > Though I don't totally disagree, I'm not sure what part of the picture is > missing to cause you to make a statement such as: > > "Microsoft seem incapable of delivering finished products !" > > The GPMC *does* make it much easier - and I have been a big champion on this > product, and is by far the preferred method. But, before GPMC (6 years > before, in fact) we have survived quite well with Auth Restore, Systems > State resore, and Data backup restores. > > What part of the picture am I missing that would indicate Microsoft missed > the boat on restoring GPOs in your case? > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Monday, August 18, 2003 3:05 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] authoritative GPO restore > > Darren, thanks for the very informative post reply. > > you seem only to confirm my views of what should be a relatively simple task > is not so - although happy to see this complexity reduced with GPMC does not > nothing to dispel my opinion that Microsoft seem incapable of delivering > finished products ! > > Thanks again > > GT > ----- Original Message ----- > From: "Darren Mar-Elia" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Sunday, August 17, 2003 9:30 PM > Subject: RE: [ActiveDir] authoritative GPO restore > > > Graham- > You're absolutely rigth about the dependencies between the AD and SYSVOL > portions of a GPO. As you probably have noticed, the AD portion is stored in > the Domain NC under SYSTEM\POLICIES\<GUID OF GPO> and the SYSVOL part is in > SYSVOL\POLICIES\<GUID OF GPO>. The AD portion, formerly called the Group > Policy Container (GPC) (until MS released the GPMC and decided they didn't > like any of the old names for stuff (!)), contains attributes that reference > the SYSVOL path, the version of the GPO and some other stuff. If for > example, you have used software installation policy to deploy applications > via GPO, then the GPC contains a set of AD object known as the Class Store, > which contains packageRegistration objects for each app deployed. These > objects reference application advertisement scripts (.aas) file stored in > the SYSVOL portion of the GPO (aka the Group Policy Container or GPT). > > In terms of disaster recovery of an individual GPO, you're correct that > authoritative restore isn't very flexible. Your steps below seem reasonable > although I haven't used that mechanism to restore a single GPO before. > Frankly, I think you're better off using Microsoft's free GPMC tool to do > backup/restore of individual GPOs. Its easy to use, scriptable and restores > individual GPOs with their original GUID intact. > This is a lot more flexible than authoritative restore or any other > mechanism that has to try and extract portions of a single GPO from backups > of system state. > > Darren > > > > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 17, 2003 11:42 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] authoritative GPO restore > > > was hoping to get a bit more detail on the procedure of restore of a GPO and > specifically the inter-dependencies of the sysvol folder data and AD data > > it would seem say in the scenario of an inadevertantly modified / deleted > GPO (and which has been replicated throughout the domain) that it is not > simply a matter of restore of the sysvol data, and that indeed it is > required to go through a sequence along the lines of; > > boot into DS restore mode; > restore system state to its original location restore system state to > alternative location > > authoritatively restore the entire database (didn't understand this - i > would have thought at most the object with the GUID of the GPO using restore > subtree ?) > > restart the DC in normal mode and wait for the sysvol to mount > > then a copy of what looks to be like the folder of sysvol / policies with > the GUID of the GPO from the alternative location > > have derived the above from the various papers on disaster recovery et al. > > hoping people can put any of the above right, especially with notes on the > various interdependencies of the directory objects / file system contents > relating to GPO > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
