Thanks Eric. Thinking of AD in a simplified manner is called for here. Replication or not, because this is possible and can be done with a lot of complicated trickery/third-party apps, I think it's worthwhile to have this functionality baked-in. Intuitively, it should be there for the admins.
I think it's time for this functionality to be baked in. Sadly, I'm well aware of how tricky it is for various reasons. While it's better than older Exchange concepts, it's harder than it needs to be, at least in smaller shops. In larger shops, some of this wouldn't work well anyway and they'd need to take advantage of custom solutions either through ISV's or through in-house efforts. At the very least, this should be available as an option in single domain forests. Shouldn't be nearly as complicated and they're not nearly as likely to have a decent IDM solution. Oh, and they likely make up a majority (in terms of sheer numbers) of your customer base, yet remain anonymous. Just some thoughts on my part. I haven't received an answer yet on this as a viable way forward from the dev team, but I'm interested to hear why this would be something in future versions or why not. I also realize I could do other architecture related things to prevent this from being a huge issue. For example, I could use a better export/import and practice my restores on a regular basis along with authoritative restores. I could setup a site in each domain that doesn't replicate nearly as often to help me find that information and then use some slight-of hand to get that object to overwrite the "mistakes". I could. I shouldn't have to is my point and for some basic functionality, I shouldn't have to look to a third-party for this. Similar to the backup program mentality - it works, but if you want more of a solution you need to buy it. That works for me. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, December 04, 2004 7:23 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore AD Yes and no. Thinking of AD as just a database with a bunch of records ignores some of the most complicated pieces, namely replication. We are fully multimaster with the understanding that we maintain loose consistency and support some other functionalities that make this even harder than it might have to be (harder than when just considering the notion of replication). This yields a series of nontrivial problems to solve in the restore. We already have a "retention period" of sorts: tombstone lifetime. We could retain more attributes on tombstones and help you with this. In fact, you can do this in your forest now through a minor schema change. This works well, but does not solve some harder problems like link value restore (as mentioned in my previous post). Those are still exercises "left to the reader", or the ISV in most cases. All of this is not to say that it can't be done, I just wanted to ensure you think through why it is tricky. :) I hear that ISVs have done a good job at tackling this problem today. I'd check out what they offer, perhaps there is something there that would do what you need. ~Eric ________________________________ From: [EMAIL PROTECTED] on behalf of Glenn Corbett Sent: Sat 12/4/2004 5:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore AD Al, Isn't the underlying technology and the recovery of the data essentially the same ?. All of the entries (both in Exchange and AD) are simply records within tables within a database. Exchange basically flags the mailbox record as deleted and then applies the defined mailbox retention settings to allow for recovery. Theoretically, it should be a similar process for AD to allow records to be deleted (a group, a user, an OU), and then apply a retention period to these object and allow them to be recovered. I for one would like to see this sort of functionality as well, as it would greatly simplify some of our Admin procedures where we have to hang onto a users account who's left for up to 3 months to allow for the instance where they come back. We have to hold these accounts in a separate OU, then have additonal processes to clean the accounts after a period of time. I would love to just delete the account and mailbox on the day they leave, and they have a defined period of time to recover the account before the automatic cleanup process of AD / Exchange finally deletes the objects. Would also help greatly for the finger-fumbles. G. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Saturday, 4 December 2004 7:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restore AD I have not heard of anything like that directly from Microsoft. Been asking those same questions, but perhaps too quietly. I can tell you that one reason you won't see the same functionality as Exchange is that you're dealing with different technology underneath. What I mean by that is that you're just wiping out attributes and links based on that for an Exchange user, but the datastore (the users mail data) is still intact. You basically just lose reference to it. AD is the store where those references live. Up-level from Exchange if you will. So if you lose those references, you really have nothing. In order to make something useful for recovery, you'd have to maintain that information somewhere and keep it in relation to the original object. That said, there are third-party apps that can provide this type of functionality for you. That may be enough for many. Just seems it's about time that this functionality gets introduced natively. My $0.02 Al List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
