We got the following from Microsoft Consulting about a year ago and implemented it last summer to address the accidentally deleted objects. We've had the 'opportunity' to use the process twice. It worked fine on both occassions. In our environment, we have four differnet domains in the forest and have a hot site for two of the domains at two different sites. We have replication set to occur for only one hour a day starting at 11:00 pm. Some of the utilities like FRSDiag report problems with this setup but otherwise it works fine. It does require an extra piece of hardware per domain
mark hocraffer
Rockwell Collins
Active Directory Hot Site Scenario
Purpose
This document provides information around the concept of an Active Directory “hot site” and its configuration
Overview
While there are recovery procedures in place for cases where one or more directory objects have been accidentally deleted (namely, authoritative restore) or where hardware failure (for example, disk corruption) causes a domain controller (DC) to fail, this paper is describes a process to deal with a situation where an Active Directory site is “lagged” from the rest of the replication topology to create a scenario where a restore procedure will not have to be used.
Hot Site Design
The Active Directory Hot site is an Active Directory site that contains at least one DC from every domain in the forest. Replication to this site is delayed for twenty-four hours.
If any changes are made incorrectly on any DC in the forest outside of the Hot site, then Ntdsutil.exe can be used to change the version on any object making the object authoritative. Now the object in question is replicated out from the Hot site to the entire forest preventing the need for a full fledged restore.
This Hot Site design is not a replacement for a good tape backup. However it is a viable solution for a quick on-line restore process in the case of a corruption taking down every domain controller. The replication time can be configured to a time frame that meets your customer needs. This should be mapped to the customer’s response time.
Keep in mind that the higher the replication interval is, any changes made in that interval time will be lost. This will also hold true for tape backups as well.
This configuration is only as valid as the integrity of the hot site itself. If the corruption has replicated to the Hot Site it is invalid. Also, there is a very small chance a client may try to authenticate to the DC in the Hot Site and get out-of-date information. The clients should be configured to authenticate to a DC in its own site, if not – one closer and/or one of lower cost. The Hot Site is, by design, a high-cost alternative to help preclude a client authenticating to it. If there are no other DC is available…the hopefully the Hot Site DC will serve its purpose and allow authentication.
Hot Site Configuration
The Domain controllers serving in the Hot Site can be a low end Server or a PC because it will only be storing the AD database which only requires to have diskspace. Since no users will be logging into this site memory is not a serious concern.
To configure the hot site:
� Put
the domain controllers into their own site. Make sure the site only
covers the IP addresses (or subnet) of the domain controllers to ensure
no client will ever boot up with an IP address included in that site.
� Increase
the weight priority of the SRV records for those DC's.
� Disable
auto site coverage using the reg key. This key will need to be added
to each DC in the Hot Site.
Note: Pause Netlogon service on all DCs in the Hotsite could also be used.
| "joe" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/03/2004 09:40 AM
|
|
Yes, excellent point. We haven't started worrying about that granularity yet. If something is deleted, we figured the person with the power to delete it intended it. Have a nice day. There are only three people who can really do any huge mass deletes across the board and we all sit within smacking distance of each other so we are careful as we have sensitive ears and don't want to be cuffed. I do think we need some sort of solution for this eventually though. But it is more to reduce nuisance factor for silly OU admins than anything else.
Right now mostly still just worrying about the old South East Michigan was swallowed by a volcano that came out of nowhere... How do we make sure we can recover.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)
Sent: Wednesday, March 03, 2004 3:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory
will only be good for restoring the DC hardware, but depending on your setup won't be sufficient to fully recover accidentally deleted objects.
I've worked with Aelita on this whitepaper to discuss the potential issues:
http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active_Directory_Recovery.pdf
/Guido
From: joe [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 3. M�rz 2004 02:11
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Protecting Active Directory
1. Multiple DCs in diseparate locations.
2. Virtual DC for each domain that is shut down nightly and the disk file for each is copied to some other location.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto
Sent: Tuesday, March 02, 2004 3:49 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Protecting Active Directory
Importance: High
What is the best way to backup your domain controller so you can restore it in a disaster situation.
