RE: [ActiveDir] disaster recovery

[Mulnick, Al]

Title: [ActiveDir] disaster recovery

Just out of curiousity, why did you deploy a forest root structure?  Why didn't you go with a single domain structure?   Otherwise, Who manages the schema without the root?  Who manages the domain naming master in your environment (both are at the root, right?)  Who handles your time synch? Who holds the Enterprise Administrator permissions?   from: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/support/adrecov.mspx   "Important: Backup data from a DC can only be used to restore that DC. You cannot use a backup of one DC to restore another. To have your environment completely backed up, you would need to have a backup of every domain controller. This should be kept in mind while developing your backup strategy. The minimum requirement should be to backup all the OM role holders and GCs. Also the first domain controller in the root domain should always be backed up."   "Note: Because this procedure requires modifying the configuration naming context, it requires Enterprise Administrator permissions."       Switching to something that works for you is certainly an understandable path to take but only if you understand that product better AND it solves your issues.  IT is not about technology for technology sake it's about solving your business issues.  If you need something else to make that happen, I'd be the first to tell you to go do it.   This thread comes across as sticker shock as you go to do this.  This is also why you want to practice this stuff all the time; that way you are not surprised at 0200 when everything is down.    Al From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 5:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery i don't need the schema or domain naming roles to restore my domain. i have all the other roles. yet it still has issues with finding a gc or replicating within a domain. why?   this is a fundemental design flaw of AD. It boggles the mind. If in a real disaster or even a test, MS expects you to have connectivity to  your root domain wherever it may be(on the other side of the world) AND access to that domains Admin passwords or accounts OR enterprise admin just to get up and running, then they are clearly not living in this world. AD was meant for the enterprise where a corp could have offices and domains all over the world. if in the event of disaster, we have to worry about isdn or T1 lines to the root and overcome all the politics of diff IT depts and security to beg for the enterprise password(even just for a simple test) JUST to get functional(not add or delete domains or modify the schema), then i'm ready to ditch AD for NDS or something more realistic. what other reason could I have to connect to the root? what other secrets does it hold aside from the 2 roles? does anyone know? why doesn't MS tell you these things in their DR documentation? is it so obivious? why is connectivity to the root never mentioned as key? am i the idiot? i'm willing to accept that, but what else does the root dc hold in terms of AD functionality? thank you for all your help so far. -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 4:28 PM To: '[EMAIL PROTECTED]' Cc: Subject: RE: [ActiveDir] disaster recovery No, you need the root domain as it holds some of the roles etc.   In order for this to work, you need to restore the root domain as well.  I've found that doing this with a virtual server is sometimes easier but that just saves on hardware requirements.     Al From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 24, 2004 3:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery yes. a quick question- can one restore an entire child domain without connectivity to the root domain? -----Original Message----- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:58 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery You Zones is setting for Dynamic Updates = YES???     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: quarta-feira, 24 de marÃo de 2004 16:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery restarting netlogon or registerdns does not work. where is this copy of the root zone in my dns server. i don't think i have it by default. i had to transfer it on my dns server back home. also if i had it, wouldnt creating a AD intergrated dns server on my test DC also have it? finally, when dc's replicate, do they look each other up in a gc? i never had any gc srv records in my local domain zone, only in the root. is this normal? thanks for your reply -----Original Message----- From: Anderson Santos Patricio [mailto:[EMAIL PROTECTED] Sent: Wed 3/24/2004 2:16 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] disaster recovery Hi Tom,   All register of AD Zones can recover with two comand:   restart netlogon service or ipconfig /registerdns   and all workstation will update your register in dns, or dhcp will ..   In Windows 2000 is interesting you have a secondary zone of your root in your local dns server,   In Windows 2003 you can set dns zone to level Forest then this zone is replicated for all domain controller in the forest.   Thanks for advanced.   Anderson Patricio - Analista de Suporte [EMAIL PROTECTED] Microsoft Certified Systems Engineer on 2003/2000 Microsoft Certified Systems Administrator on 2003/2000 Red Hat Certified Technician     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: quarta-feira, 24 de marÃo de 2004 16:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] disaster recovery i also get a "all gc's are down" error. gc records are just registered in the root domain, i assume. i only have a dns for my domain. also dcdiag output says "the server is not responding to directory service requests" though it holds a copy of AD. how can i get around this? do i need a copy of the root dns zone? how can i get this? can i export it to a text file and import it into my dns server? can i somehow pull it from the config container in AD without being connected to the root of the tree? is this the cause of my woes?   it would be insane on MS's part to demand connectivity to the root of the forest when restoring or doing DR on AD. what did i screw up?   Thanks again for any help -----Original Message----- From: Kern, Tom Sent: Wed 3/24/2004 1:34 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] disaster recovery I just restored AD. I had a test laptop, pulled it off the network, ran ntdsutil, seized all 3 roles,ran metadata cleanup and removed all my old dc's. deleted them with adsiedit and all dns records as well. then at the DR site, i set up new servers with the same names as the old one's, ran dcpromo. however, the new servers get dnslookup/rpc errors when i try to force a replication. also, they fail a dcdiag because the guid dns name is not present and the server "fails a directory request" Also the srv records for kerberos and kpasswd do not appear in dns for my domain. The test laptop had an AD intergrated dns zone pulled directly from my real network. However, it just has the zone for my domain, not the forest root. do i need this record as well to promote DC's. I'm not connected to the forest anyway, but should i have the forest root records too. what am i doing wrong? thanks .+wYØP×.+j joryIV+v*