Al, I appreciate the response - very definitive and to the point. We will add the root restore into our newly revised :) DR plans.
Thanks to all who responded. Helped me out a ton! Not to open a whole new can of worms - but - what (other than what you described below) is the reason(s) empty root domains are not preferred? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324� Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. -----Original Message----- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 7:05 AM To: [email protected] Subject: RE: [ActiveDir] seize schema master question Joe, you wouldn't be able to restore Exchange nor install new Exchange without the forest root. Exchange writes to the configuration NC which is forest-wide cn=Microsoft Exchange,cn=Services,cn=Configuration,dc=<root domain>. I suppose it's possible to do something with some slight of hand to write to a copy in the child domain, but it would get ugly quickly if you tried. To do your Exchange DR you'll need both the root and the child. It's one of the reasons that an empty root design is not favored any longer in many designs. (Of course, Microsoft still needs to update their docs to reflect this. ;) I'm assuming of course that you're not installing new apps during DR scenarios, but then again I haven't seen your DR scenario information. Correct me if I'm wrong. In addition to the docs Jorge points out in his other email, you may want to have a look at the DR papers for Exchange http://www.microsoft.com/exchange/library for some additional information. Basically, you'll need to restore the root, then the child, then the application(s). There's also some cleanup for the domains as you are working them in that needs to get done since presumably there are no additional domain controllers to replicate with (again, I'm making an assumption that your DR scenario fits the model I'm envisioning; stop the madness if needed). 2K3 sp1 reportedly has some new features around this in ntdsutil so it's worth looking at when developing your DR plan. I think it's a great idea to test these types of concepts so you can find issues exactly like this. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, May 02, 2005 3:55 PM To: 'Pelle, Joe '; '[EMAIL PROTECTED] '; '[email protected] ' Subject: RE: [ActiveDir] seize schema master question As I said before... for a disaster recovery plan, you NEED to take everything into account within an AD forest. There are too many dependencies to restore only a child domain without having a forest root domain in place. What I'm still trying to understand is why you want to install exchange during a disaster recovery scenario. Can you explain that one? In my opinion when doing a disaster recovery, no new implementations (or serious changes)(and installing an exchange org in a forest is a serious change to me) would occur before the forest was working more than OK! #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 5/2/2005 6:18 PM Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? The child domain was working fine - but I need Exchange installed - which meant I needed the schema role What do you mean with "But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step " For the DR test ONLY - the schema master server was not scheduled to be restored - therefore we would never bring that online - allowing the seizure of the schema role (assuming that you can seize the role from a parent domain) Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? No - the root was never restored. The original question was that would we need to restore the root to get exchange installed. The plans were only to restore the child domain Trying to understand this one here.. Me too! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <http://www.valassis.com/> http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. _____ From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 AM To: [email protected] Subject: RE: [ActiveDir] seize schema master question Why would you want to resurrect the root domain if its working? What do you mean with "But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step " Isn't it true that your forest root domain is OK and up and that you were restoring only the child domain? Trying to understand this one here.. Cheers #JORGE# _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: maandag 2 mei 2005 16:04 To: [email protected] Subject: RE: [ActiveDir] seize schema master question Thanks for the feedback everyone.... In retrospect resurrecting the root domain would have been the smart thing to do for many reasons (dependencies). But since the schema master would in theory never have been online - ever - the seizure would be the appropriate step - I just didn't know if moving the schema master to a child domain would have any ill effects on the rest of the infrastructure... Thanks again to all who responded! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <http://www.valassis.com/> http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. _____ From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 9:30 AM To: [email protected] Subject: RE: [ActiveDir] seize schema master question oops, I forgot.. only seize a FSMO role when really needed. in this case you don't need to seize the schame role why restore a domain if it's working? check only dependencies between the domains #JORGE# _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: maandag 2 mei 2005 15:11 To: [email protected] Subject: RE: [ActiveDir] seize schema master question * Ping the Schema master form a child domain DC * Check the trust between the parent domain and the child domain with NETDOM or with Active Directory Domains and Trusts (this should be one of the checks after restoring the child domain) * Ask for the FSMO role owners with NETDOM QUERY FSMO * Run DCDIAG /V on the child DC By the way: did the complete child domain go back in time? HINT: think about what happens with objects that were created after the backups use used TIP: when doing a DR of a certain domain or the complete forest you MUST in both situations take the complete forest and its owners into account. There are dependencies and you cannot work alone Cheers, #JORGE# PS.: not so long ago there was a similar thread where I and I think Guido made some suggestions. _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: maandag 2 mei 2005 14:04 To: [email protected] Subject: RE: [ActiveDir] seize schema master question W2K3 Domain and E2k3 - Error related to: unable to contact the active directory Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <http://www.valassis.com/> http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. _____ From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 7:57 AM To: [email protected] Subject: RE: [ActiveDir] seize schema master question A DR test... interesting. I have created such a procedure once for one of my customers...damn what a rush! ;-) Is this W2K or W2K3 AD? What are the errors or notifications you have experienced when trying to install exchange? Cheers, #JORGE# _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: maandag 2 mei 2005 13:25 To: [email protected] Subject: [ActiveDir] seize schema master question Hello! Our company recently went through a DR test and had some interesting results. One in particular is that we couldn't get Exchange installed because it couldn't write to the Schema (schema master was not restored). Here is my question: we have an empty root (where the schema master lives) that we did NOT restore... and we have our primary domain where users and Exchange lives (this is the domain that we restored). Could I have seized the Schema master role and moved it to the restored (child domain) or should we have restore the root? I am going to try this in the lab this week but I wanted some feedback - past experiences, how some of you would recommend doing this, etc. As always, Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <http://www.valassis.com/> http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
