Hi, A question comes to me.... Can the lag site strategy solve the issue concerning the auth restore of the group memberships information for the deleted users and computers accounts from AD ? Or do we still need to follow the directives as stated in the "How to restore deleted user accounts and their group memberships in Active Directory" (see http://support.microsoft.com/default.aspx?scid=kb;en-us;840001 <http://support.microsoft.com/default.aspx?scid=kb;en-us;840001> ) in order to repopulate the group memberships information (member and memberof attributes). Yann
________________________________ De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner Date: mer. 26/10/2005 21:35 À: [email protected] Objet : RE: [ActiveDir] AD Lag Site Keep in mind that Lag-Sites are not intended for the "I did something wrong some weeks ago" errors, they are only for "Uups - I just deleted something". And to make sure that you are able to "undelete" every object no matter when you made the mistake (e.g. one minute before replication to the lag-site) the idea of two or more lag-sites with different schedules jump in. Like the examples I provided with two sitelinks replicating once a week but half a week apart make sure that you have at least a 3.5 old version of the object in one of the lag sites. Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Wednesday, October 26, 2005 8:08 PM |To: [email protected]; [email protected] |Subject: RE: [ActiveDir] AD Lag Site | |yes... IF the detection of the deletion is BEFORE the |replication window to the lag site. Otherwise the tombstone |will replicate to the lag site also. It is just a extra |opportunity for you to make a deletion undone without doing a |non-auth restore! | |As the object and its metadata still exists on the replica of |the DC, there is no need to do a non-auth restore. Therefore |you need to do only an auth restore so the version becomes |higher than then deleted object and the deletion is undone. |Of course you will still need to do a non-auth restore |followed by a auth restore if the detection of the deletion is |after the replication window to the lag site | |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of TIROA YANN |Sent: Wed 10/26/2005 4:12 PM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |......if i understand correctly what Activedir gurus explained |to me earlier, |-> Without a lag site, you must do a non-auth restore followed |by a auth restore. |-> With a lag site, you only need to do a auth restore. | |I'm right ? :) | |Yann | |________________________________ | |De : [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] De la part de |CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À : |[email protected] Objet : RE: [ActiveDir] AD Lag Site | | |More so for deletion of objects so you wouldn't have to do an |authoritative restore from a backup. | | |David Chianese | | |________________________________ | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell |Sent: Wednesday, October 26, 2005 9:23 AM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |I'm sorry if I sound ignorant, but what is the purpose of a |"lag site"? Is it a site that you don't replicate for a |specific period of time in so if there is a disaster, you can |get the data from the lag site?? | |Thanks | |Russ | |________________________________ | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf |B. Simon-Weidner |Sent: Tuesday, October 25, 2005 5:00 PM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |I did those too, and some other things to consider were: |* Putting them inside a virtual machine with faked Subnetting |in AD: Take a class C Network and split it in AD Sites and |Services, not TCP/IP, then you can spare the router |* Assign the site membership for the host via GPO if it is in |one of the virtual subnets of the virtual lag-dcs (depending |on the subnetting possibilities you have) |* Configure a firewall between the sites to make sure the |machienes only talk to the ones they are supposed to (if available) |* Use scripting to shut down virtual networks if available in |the times they are not supposed to replicate |* Make sure that you configure replication that it runs a |couple times during the allowed timeframe |* Configure terminal services access on the lag DCs |* Configure boot.ini to be able to boot into DSRM by changing |the default without querying for the boot.ini parameter when necessary. | |For the replication I usually configured replication every 15 |minutes (the Lag-Sites were on the same LAN), Site 1 |replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates |Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart). | |Ulf | | |________________________________ | | From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de | Sent: Tuesday, October 25, 2005 3:57 PM | To: [email protected] | Subject: RE: [ActiveDir] AD Lag Site | | | Hi, | Guido and Gil wrote a great ebook about recovery |whereas information about lagsites is included | Take a look at: |http://www.netpro.com/events/adrecovery/index.cfm (registration needed) | | For starters some tips: | * Place at least on DC for each domain in the lag site | * Allow the DCs in the lag site to register only the |replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT | * Don't assign WINS server IP addresses for the DCs in |the lag sites | * Make sure the site link between the lag site and the |hub site has a higher cost than all other site links that |connect the hub site and other sites (reason: Exchange AD |topology discovery for the out-of-site list of DCs/GCs) | *You might want to use lag sites (e.g. 2) that |replicate in steps (1st site replicates like each 3 days and |the other each week) whereas the second lag site is connected |to the first and the first is connected to the second and the hub site | | This might be expensive though and you also might have |a look at objectrecovery tools available by third party vendors | | Cheers, | Jorge | |________________________________ | | From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes | Sent: Tuesday, October 25, 2005 15:31 | To: [email protected] | Subject: [ActiveDir] AD Lag Site | | | Anyone have any pointers (documentation or real life |experience) on setting up an AD Lag Site? | | Thanks in advance, | | Shawn | | | | | This e-mail and any attachment is for authorised use by |the intended recipient(s) only. It may contain proprietary |material, confidential information and/or be subject to legal |privilege. It should not be copied, disclosed to, retained or |used by, any other party. If you are not an intended recipient |then please promptly delete this e-mail and any attachment and |all copies and inform the sender. Thank you. | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
