From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, August 25, 2003 11:55 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] I would like to vote for Roger Abell
Gil Kirkpatrick
CTO, NetPro
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, August 18, 2003 7:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] I would like to vote for Roger AbellDeji,We don't take them South-Western types in here.... (oooooh, sorry Gil!).I'll give Roger a shout and invite him to join us. Roger has been a good friend for many years - I think he'll find his way here shortly...Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, August 18, 2003 8:42 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] I would like to vote for Roger AbellNow that we have Joe, Todd, Dean Rick and other superstars, I have been (privately) wondering for a long time what is keeping one other very fine gentleman away from this list. I am sure many of you have heard of Roger Abell. Pardon the euphemism, but it is my considered opinion that this list will not be worse off if we can get him to grace us with his membership.Unless there is a policy that says we only let them wander in on their own volition, I propose that we draft him :)Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Graham Turner
Sent: Mon 8/18/2003 8:24 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] authoritative GPO restoreRick, please excuse the whinge
borne out of a bit of frustration i am afraid !!
am needing to write procedural documents for what i would regard as a fairly
simple task (and given issues we have with allowed run list policy values
not unlikely either !!)
ie restore of a inadvertantly (or otherwise !) deleted or corrupt GPO
not unreasonable to have had functionality equiv to GPMC in win2k ??
duly noted on GPMC - will recommend to deploy as soon as possible
without GPMC, it seems there are all sorts of interdependencies on AD
objects / SYSVOL file system objects which need to be got right when
restoring GPO
was looking to seek the views of others on the procedure for this restore
say of a single GPO ??
as per my original mail;
1. DS restore mode
2. restore of what sysvol file system directories / system state to original
3. restore (what ?) to alternate location
3. ntdsutil - run authoritative restore (seems only to apply to AD objects)
4. copy certain file system directories (polices / scripts ??) to original
location
Thanks for your help throughout
GT
GT
----- Original Message -----
From: "Rick Kingslan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 18, 2003 2:34 PM
Subject: RE: [ActiveDir] authoritative GPO restore
> Graham,
>
> Though I don't totally disagree, I'm not sure what part of the picture is
> missing to cause you to make a statement such as:
>
> "Microsoft seem incapable of delivering finished products !"
>
> The GPMC *does* make it much easier - and I have been a big champion on
this
> product, and is by far the preferred method. But, before GPMC (6 years
> before, in fact) we have survived quite well with Auth Restore, Systems
> State resore, and Data backup restores.
>
> What part of the picture am I missing that would indicate Microsoft missed
> the boat on restoring GPOs in your case?
>
> Rick Kingslan MCSE, MCSA, MCT
> Microsoft MVP - Active Directory
> Associate Expert
> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Graham Turner
> Sent: Monday, August 18, 2003 3:05 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] authoritative GPO restore
>
> Darren, thanks for the very informative post reply.
>
> you seem only to confirm my views of what should be a relatively simple
task
> is not so - although happy to see this complexity reduced with GPMC does
not
> nothing to dispel my opinion that Microsoft seem incapable of delivering
> finished products !
>
> Thanks again
>
> GT
> ----- Original Message -----
> From: "Darren Mar-Elia" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Sunday, August 17, 2003 9:30 PM
> Subject: RE: [ActiveDir] authoritative GPO restore
>
>
> Graham-
> You're absolutely rigth about the dependencies between the AD and SYSVOL
> portions of a GPO. As you probably have noticed, the AD portion is stored
in
> the Domain NC under SYSTEM\POLICIES\<GUID OF GPO> and the SYSVOL part is
in
> SYSVOL\POLICIES\<GUID OF GPO>. The AD portion, formerly called the Group
> Policy Container (GPC) (until MS released the GPMC and decided they didn't
> like any of the old names for stuff (!)), contains attributes that
reference
> the SYSVOL path, the version of the GPO and some other stuff. If for
> example, you have used software installation policy to deploy applications
> via GPO, then the GPC contains a set of AD object known as the Class
Store,
> which contains packageRegistration objects for each app deployed. These
> objects reference application advertisement scripts (.aas) file stored in
> the SYSVOL portion of the GPO (aka the Group Policy Container or GPT).
>
> In terms of disaster recovery of an individual GPO, you're correct that
> authoritative restore isn't very flexible. Your steps below seem
reasonable
> although I haven't used that mechanism to restore a single GPO before.
> Frankly, I think you're better off using Microsoft's free GPMC tool to do
> backup/restore of individual GPOs. Its easy to use, scriptable and
restores
> individual GPOs with their original GUID intact.
> This is a lot more flexible than authoritative restore or any other
> mechanism that has to try and extract portions of a single GPO from
backups
> of system state.
>
> Darren
>
>
>
> -----Original Message-----
> From: Graham Turner [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, August 17, 2003 11:42 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] authoritative GPO restore
>
>
> was hoping to get a bit more detail on the procedure of restore of a GPO
and
> specifically the inter-dependencies of the sysvol folder data and AD data
>
> it would seem say in the scenario of an inadevertantly modified / deleted
> GPO (and which has been replicated throughout the domain) that it is not
> simply a matter of restore of the sysvol data, and that indeed it is
> required to go through a sequence along the lines of;
>
> boot into DS restore mode;
> restore system state to its original location restore system state to
> alternative location
>
> authoritatively restore the entire database (didn't understand this - i
> would have thought at most the object with the GUID of the GPO using
restore
> subtree ?)
>
> restart the DC in normal mode and wait for the sysvol to mount
>
> then a copy of what looks to be like the folder of sysvol / policies with
> the GUID of the GPO from the alternative location
>
> have derived the above from the various papers on disaster recovery et al.
>
> hoping people can put any of the above right, especially with notes on the
> various interdependencies of the directory objects / file system contents
> relating to GPO
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
