i don't need the schema or domain naming roles to restore my domain. i have all the other roles. yet it still has issues with finding a gc or replicating within a domain. why? this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or even a test, MS expects you to have connectivity to your root domain wherever it may be(on the other side of the world) AND access to that domains Admin passwords or accounts OR enterprise admin just to get up and running, then they are clearly not living in this world. AD was meant for the enterprise where a corp could have offices and domains all over the world. if in the event of disaster, we have to worry about isdn or T1 lines to the root and overcome all the politics of diff IT depts and security to beg for the enterprise password(even just for a simple test) JUST to get functional(not add or delete domains or modify the schema), then i'm ready to ditch AD for NDS or something more realistic. what other reason could I have to connect to the root? what other secrets does it hold aside from the 2 roles? does anyone know? why doesn't MS tell you these things in their DR documentation? is it so obivious? why is connectivity to the root never mentioned as key? am i the idiot? i'm willing to accept that, but what else does the root dc hold in terms of AD functionality? thank you for all your help so far.
-----Original Message-----
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Wed 3/24/2004 4:28 PM
To: '[EMAIL PROTECTED]'
Cc:
Subject: RE: [ActiveDir] disaster recovery
No, you need the root domain as it holds some of the roles etc.
In order for this to work, you need to restore the root domain as well. I've
found that doing this with a virtual server is sometimes easier but that just saves on
hardware requirements.
Al
_____
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 24, 2004 3:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery
yes.
a quick question- can one restore an entire child domain without connectivity
to the root domain?
-----Original Message-----
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED]
Sent: Wed 3/24/2004 2:58 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] disaster recovery
You Zones is setting for Dynamic Updates = YES???
_____
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern,
Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:47
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery
restarting netlogon or registerdns does not work.
where is this copy of the root zone in my dns server. i don't think i
have it by default. i had to transfer it on my dns server back home.
also if i had it, wouldnt creating a AD intergrated dns server on my
test DC also have it?
finally, when dc's replicate, do they look each other up in a gc?
i never had any gc srv records in my local domain zone, only in the
root. is this normal?
thanks for your reply
-----Original Message-----
From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED]
Sent: Wed 3/24/2004 2:16 PM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [ActiveDir] disaster recovery
Hi Tom,
All register of AD Zones can recover with two comand:
restart netlogon service or ipconfig /registerdns
and all workstation will update your register in dns, or dhcp
will ..
In Windows 2000 is interesting you have a secondary zone of
your root in your local dns server,
In Windows 2003 you can set dns zone to level Forest then this
zone is replicated for all domain controller in the forest.
Thanks for advanced.
Anderson Patricio - Analista de Suporte
[EMAIL PROTECTED] <blocked::mailto:[EMAIL PROTECTED]>
Microsoft Certified Systems Engineer on 2003/2000
Microsoft Certified Systems Administrator on 2003/2000
Red Hat Certified Technician
_____
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kern, Tom
Sent: quarta-feira, 24 de marÃo de 2004 16:03
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] disaster recovery
i also get a "all gc's are down" error.
gc records are just registered in the root domain, i assume. i
only have a dns for my domain.
also dcdiag output says "the server is not responding to
directory service requests" though it holds a copy of AD.
how can i get around this? do i need a copy of the root dns
zone? how can i get this? can i export it to a text file and import it into my dns
server? can i somehow pull it from the config container in AD without being connected
to the root of the tree?
is this the cause of my woes?
it would be insane on MS's part to demand connectivity to the
root of the forest when restoring or doing DR on AD.
what did i screw up?
Thanks again for any help
-----Original Message-----
From: Kern, Tom
Sent: Wed 3/24/2004 1:34 PM
To: [EMAIL PROTECTED]
Cc:
Subject: [ActiveDir] disaster recovery
I just restored AD. I had a test laptop, pulled it off
the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my
old dc's. deleted them with adsiedit and all dns records as well.
then at the DR site, i set up new servers with the
same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc
errors when i try to force a replication.
also, they fail a dcdiag because the guid dns name is
not present and the server "fails a directory request"
Also the srv records for kerberos and kpasswd do not
appear in dns for my domain.
The test laptop had an AD intergrated dns zone pulled
directly from my real network. However, it just has the zone for my domain, not the
forest root.
do i need this record as well to promote DC's. I'm not
connected to the forest anyway, but should i have the forest root records too.
what am i doing wrong?
thanks
.+wYØP×.+j joryIV+v*
<<winmail.dat>>
