Re: [ActiveDir] AD Restore Problem

Thu, 06 Oct 2005 10:59:13 -0700

Item 2 is kinda the part that I read as saying "uh...you sure you want to do that?"

Operations that are not supported include the following:
1. Starting an Active Directory domain controller whose operating system was restored to a hard disk by using an imaging program such as Norton Ghost
2. Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE
3. Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads using previously saved images of the operating system without requiring a system state restoration of Active Directory.


Fugleberg, David A wrote: 
As I read it, The KB cited does NOT say that 'having a DC in a Virtual
Server environment is not supported'.  In fact, 
MS has published a paper
(http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-
4209-8ED2-E261A117FC6B&displaylang=en) with explicit guidance on how to
successfully run DCs on virtual server.

The cited KB DOES explain that bringing a backed up virtual DC online to
recover from a failure will cause problems (because of the USN rollback
issue).

As has been pointed out many times on this list, restoring a failed DC
from a disk image (Ghost, .vhd file, whatever) is a spectacularly Bad
Idea.  As I understand it, this is primarily because all DCs track some
metadata about the state of the AD NC replicas on their replication
partners (the High-Watermark Vector, the Up-To-Date vector, and the GUID
of the replica itself, for example).  If a failed DC is 'restored' by
reviving an old image, the partner DCs will believe the DC is more
up-to-date than it really is, and replication will suffer.  The hotfix
in the cited KB article will protect you somewhat by logging an event
and stopping netlogon, but you still need to clean it up.  On the other
hand, restoring a DC using normal System State restore procedures causes
the restored replica to get a new GUID, so it's obvious to the
replication partners that they're dealing with a 'different' replica and
normal replication can allow it to catch up.

So, "DC on VS" = OK, but "restoring a disk image of a DC" = BAD.

Dave
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, October 06, 2005 9:15 AM
To: [email protected]
Subject: Re: [ActiveDir] AD Restore Problem


<stupid question alert>

Okay so unless you are insane SBS.. images of your DCs are ixnay.  What 
does Sun, Linux, Mac or any other competing Server OS do in their world 
to ensure the Kingdom easily and quickly comes back up?  <yeah I know 
they don't have AD but they have to have some competing glue, right?>  
What have they done if anything?


How to detect and recover from a USN rollback in Windows Server 2003:
http://support.microsoft.com/?kbid=875495

That KB is interesting as it clearly indicates that having a DC in a 
Virtual Server environment is not supported... yet we SBSers have gotten

word that once Exchange 2003 sp2 supports Vserver all of the parts of 
the 'standard' box will be supported in a virtual environment.


Brett Shirley wrote:

  
If you have any replicas of those servers, when you restore those 
VMWare images, you will have corrupted your forest during restore.

-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no 
rights.


On Thu, 6 Oct 2005, Carroll Frank USGR wrote:

 

    
I am working my way down the VMWare path also for my ultimate DR "ace 
in the hole". The environment is a TLD with 4 child domains. I am 
planning on running a single VMWare server that has virtual DCs for 
all 5 domains. I am going to peel off a dedicated site/vlan and put 
the physical VMWare server and all of the DC virt servers in that 
site. None of the virtual DCs are going to be GCs. The reason for the 
dedicated site is so I can keep people from using them for validation 
in production.

Once I have them running, I plan to use the VM scripting to gracefully
      

  
shut them down once a day and then shoot the image file of the 
shutdown DC off to tape, which then goes off-site. After the backup 
completes I then restart the virtual servers.

This plays into the different hardware scenario since I can use VMWare
      

  
to abstract the hardware.

Of course, this whole process is the backup to the normal system state
      

  
backup of all my backbone DCs.

FWIW - Frank

________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Coleman, 
Hunter
Sent: Wednesday, October 05, 2005 5:37 PM
To: [email protected]
Subject: RE: [ActiveDir] AD Restore Problem


You will still need to abandon the snapshot/image approach. Go to 
http://www.mail-archive.com/[email protected]/ and search 
for "usn rollback". You can get the same information by searching 
support.microsoft.com, but without the colorful and enlightening 
commentary that the list provides.

Hunter

   

      
 

    
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

  

-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to