Susan, item #2 is perfectly fine now. You can host your DC on a VS guest and MS will support it. I know you know that that is not the same as SAVING it to a vhd and resuscitating it a month later. That will cause problems like Brett and others have said repeatedly. But, RUNNING your DC on VS is not a bad thing anymore. I run E2K3-SP2 on VS2005-SP1 right now, and it works fine for me. MS will begin to support that, too - not because it works for ME, but because they know that there is no technical limitations that will necessitate not supporting it. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thu 10/6/2005 9:28 AM To: [email protected] Subject: Re: [ActiveDir] AD Restore Problem Item 2 is kinda the part that I read as saying "uh...you sure you want to do that?" Operations that are not supported include the following: 1. Starting an Active Directory domain controller whose operating system was restored to a hard disk by using an imaging program such as Norton Ghost 2. Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE 3. Starting an Active Directory domain controller that is located on a volume where the disk subsystem loads using previously saved images of the operating system without requiring a system state restoration of Active Directory. Fugleberg, David A wrote: As I read it, The KB cited does NOT say that 'having a DC in a Virtual Server environment is not supported'. In fact, MS has published a paper (http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3- 4209-8ED2-E261A117FC6B&displaylang=en) with explicit guidance on how to successfully run DCs on virtual server. The cited KB DOES explain that bringing a backed up virtual DC online to recover from a failure will cause problems (because of the USN rollback issue). As has been pointed out many times on this list, restoring a failed DC from a disk image (Ghost, .vhd file, whatever) is a spectacularly Bad Idea. As I understand it, this is primarily because all DCs track some metadata about the state of the AD NC replicas on their replication partners (the High-Watermark Vector, the Up-To-Date vector, and the GUID of the replica itself, for example). If a failed DC is 'restored' by reviving an old image, the partner DCs will believe the DC is more up-to-date than it really is, and replication will suffer. The hotfix in the cited KB article will protect you somewhat by logging an event and stopping netlogon, but you still need to clean it up. On the other hand, restoring a DC using normal System State restore procedures causes the restored replica to get a new GUID, so it's obvious to the replication partners that they're dealing with a 'different' replica and normal replication can allow it to catch up. So, "DC on VS" = OK, but "restoring a disk image of a DC" = BAD. Dave -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: [email protected] Subject: Re: [ActiveDir] AD Restore Problem <stupid question alert> Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? <yeah I know they don't have AD but they have to have some competing glue, right?> What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR "ace in the hole". The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: [email protected] Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/[email protected]/ and search for "usn rollback". You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
