Please don't forget to do insert these steps:
2.5 reboot the DC back to normal mode
2.7 give a chance for the auth restore to replicate out (not
necessary, just a good idea)
I'm so glad Guido wrote up the below, I had something 1/2 written up, but
I couldn't remember any of the details ...
Cheers,
Brett
On Fri, 12 Aug 2005, Grillenmeier, Guido wrote:
> hopefully you have another Win2003 DC with SP1 => a non-SP1 2003 DC
> would require you to perform more manual steps during the restore. As
> you're still in mixed mode, none of your links are LVR (which means they
> won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC)
>
> 1. so boot another SP1 DC into DS Restore mode
> 2. use ntdsutil.exe to auth restore that user's object
> => with SP1, this step will create an LDIF file that will allow to
> restore the groups etc.
> it will be called
> "ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf"
> (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain
> something similar to this:
>
> dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net
> changetype: modify
> delete: member
> member:
> CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net
> -
>
> dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net
> changetype: modify
> add: member
> member:
> CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net
> -
>
> dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net
> changetype: modify
> delete: manager
> manager:
> CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net
> -
>
> dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net
> changetype: modify
> add: manager
> manager:
> CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net
> -
>
> If you have multiple domain, you may get more than one file (depends on
> group-memberships of user and if you are doing the auth restore on a DC
> or GC - you should choose a GC if you have more than one domain). All
> you need to do after reboot is take that file and execute an LDIF import
> command (on a DC that corresponds to the file's domain):
>
> Ldifde -i -k -f ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf
> e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf
>
> /Guido
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan
> Sent: Freitag, 12. August 2005 01:35
> To: [email protected]
> Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?
>
> OK This is what I was looking for, this site didn't actually have a
> chance to repl out the delete so I just push back the 'good' state?
>
> So, if I understand I am supposed to:
>
> 1. reboot a good DC into DS Restore mode
> 2. use ntdsutil.exe to auth restore that user's object.
> 3. use ldifde to restore the links (not sure about this step...any more
> info?)
>
> Bring my mistake DC back online, it tries to replicate, hits the Auth
> Restore, and the delete gets tossed, my mistake is rectified, and no one
> is the wiser...
>
> Yes?
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
> Sent: Thursday, August 11, 2005 2:56 PM
> To: [email protected]
> Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?
>
> I agree completely - that is the attraction of the lag sites - I have
> something in which I can push a change back out from a time delayed
> replica to where the object sill exists.
>
> And I agree as well - if there is a DC that has the object required - by
> all means, repl it back out authoritatively.
>
> Rick
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Thursday, August 11, 2005 3:31 PM
> To: [email protected]
> Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?
>
> Hmmm, maybe I misunderstoood ...
>
> I understood he has a user deleted on some DCs, but not on others. He
> doesn't want the user deleted. He can then just take a DC with the
> user, auth restore the user, let that replicate out. Yes, the delete
> change will try to replicate out, but when it hits the auth restore the
> delete operation will essentially be tossed.
>
> I mean this is the whole attraction to hot sites is it not? Am I missing
> something?
>
> Cheers,
> BrettSh
>
> On Thu, 11 Aug 2005, Rick Kingslan wrote:
>
> > Brett,
> >
> > How is this going to help him get the DC back online that he yanked
> > the cable on? As soon as that system is plugged back in, it's going
> > to repl
> out
> > the change, no?
> >
> > Rick
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Thursday, August 11, 2005 1:54 PM
> > To: [email protected]
> > Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD?
> >
> >
> > Well you're lucky that you yanked the network cable in time, now you
> > don't have to do a system state restore to get the user back ...
> >
> > Find a DC where the user still exists in a pristine condition, all the
>
> > mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use
> > ntdsutil.exe to auth restore just that user's object.
> >
> > You may (probably will) also have to restore links to that user, at
> > this point it'd be nice if you were running on Win2k3 SP1, but if not
> > it is still accomplishable.
> >
> > For Win2k3 Sp1, after auth restoring the user, there should be some
> > ldf
> > file(s) that will allow you to restore the links. Simply use ldifde,
> > to apply these files to the appropriate DCs (up to one ldf per
> domain).
> >
> > For pre this latest generation (which is more likely, because you
> > could yank the net cable in time), you may have to find the objects
> > that are linked to the user, and restore them yourself. You can do
> > this by performing an LDAP operation that deletes and re-sets the
> > links to that user.
> >
> > BTW, there is a more extensive KB article you might find useful:
> > http://support.microsoft.com/?kbid=840001
> >
> > Cheers,
> > BrettSh
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> > On Thu, 11 Aug 2005, Shadow Roldan wrote:
> >
> > > So I did a bad thing, I deleted a user at a different site and
> > > marked his mailbox for deletion
> > >
> > > Immediately recognizing my mistake I *ran* to the server room and
> > > yanked the network cable of the dc I was connected to.
> > >
> > > For now, none of the changes have replicated.
> > >
> > > I want to bring this machine back online, but I don't want those
> > > changes to go through
> > >
> > > How would you make this happen?
> > >
> > > Thanks guys
> > >
> > >
> > >
> > > S
> > >
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
