Oooh ! I didn't know that w2k3 sp1 has this ability natively. I get used using the Groupadd.exe command-line utility.
Thanks for your input Ulf :) Yann ________________________________ De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner Date: mer. 26/10/2005 23:13 À: [email protected] Objet : RE: [ActiveDir] AD Lag Site -> solves the groups memberships issue ? Hello Tiroa, I believe the lag site will help you here, since you are increasing version numbers on existing objects. The issues with the authoritative restore was that you were restoring groups and their members didn't yet exist (or users and their managers didn't yet exist, ...). So the lag site restore shouldn't have any issues with that. Another thing to mention: With Windows Server 2003 SP1 you don't have those issues as you had before, ntdsutil produces the ldif-files to clean up the linked attributes after the authoritative restore. Ulf ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, October 26, 2005 10:15 PM To: [email protected] Subject: RE : [ActiveDir] AD Lag Site -> solves the groups memberships issue ? Hi, A question comes to me.... Can the lag site strategy solve the issue concerning the auth restore of the group memberships information for the deleted users and computers accounts from AD ? Or do we still need to follow the directives as stated in the "How to restore deleted user accounts and their group memberships in Active Directory" (see http://support.microsoft.com/default.aspx?scid=kb;en-us;840001 <http://support.microsoft.com/default.aspx?scid=kb;en-us;840001> ) in order to repopulate the group memberships information (member and memberof attributes). Yann ________________________________ De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner Date: mer. 26/10/2005 21:35 À: [email protected] Objet : RE: [ActiveDir] AD Lag Site Keep in mind that Lag-Sites are not intended for the "I did something wrong some weeks ago" errors, they are only for "Uups - I just deleted something". And to make sure that you are able to "undelete" every object no matter when you made the mistake (e.g. one minute before replication to the lag-site) the idea of two or more lag-sites with different schedules jump in. Like the examples I provided with two sitelinks replicating once a week but half a week apart make sure that you have at least a 3.5 old version of the object in one of the lag sites. Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Wednesday, October 26, 2005 8:08 PM |To: [email protected]; [email protected] |Subject: RE: [ActiveDir] AD Lag Site | |yes... IF the detection of the deletion is BEFORE the |replication window to the lag site. Otherwise the tombstone |will replicate to the lag site also. It is just a extra |opportunity for you to make a deletion undone without doing a |non-auth restore! | |As the object and its metadata still exists on the replica of |the DC, there is no need to do a non-auth restore. Therefore |you need to do only an auth restore so the version becomes |higher than then deleted object and the deletion is undone. |Of course you will still need to do a non-auth restore |followed by a auth restore if the detection of the deletion is |after the replication window to the lag site | |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of TIROA YANN |Sent: Wed 10/26/2005 4:12 PM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |......if i understand correctly what Activedir gurus explained |to me earlier, |-> Without a lag site, you must do a non-auth restore followed |by a auth restore. |-> With a lag site, you only need to do a auth restore. | |I'm right ? :) | |Yann | |________________________________ | |De : [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] De la part de |CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À : |[email protected] Objet : RE: [ActiveDir] AD Lag Site | | |More so for deletion of objects so you wouldn't have to do an |authoritative restore from a backup. | | |David Chianese | | |________________________________ | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell |Sent: Wednesday, October 26, 2005 9:23 AM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |I'm sorry if I sound ignorant, but what is the purpose of a |"lag site"? Is it a site that you don't replicate for a |specific period of time in so if there is a disaster, you can |get the data from the lag site?? | |Thanks | |Russ | |________________________________ | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf |B. Simon-Weidner |Sent: Tuesday, October 25, 2005 5:00 PM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |I did those too, and some other things to consider were: |* Putting them inside a virtual machine with faked Subnetting |in AD: Take a class C Network and split it in AD Sites and |Services, not TCP/IP, then you can spare the router |* Assign the site membership for the host via GPO if it is in |one of the virtual subnets of the virtual lag-dcs (depending |on the subnetting possibilities you have) |* Configure a firewall between the sites to make sure the |machienes only talk to the ones they are supposed to (if available) |* Use scripting to shut down virtual networks if available in |the times they are not supposed to replicate |* Make sure that you configure replication that it runs a |couple times during the allowed timeframe |* Configure terminal services access on the lag DCs |* Configure boot.ini to be able to boot into DSRM by changing |the default without querying for the boot.ini parameter when necessary. | |For the replication I usually configured replication every 15 |minutes (the Lag-Sites were on the same LAN), Site 1 |replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates |Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart). | |Ulf | | |________________________________ | | From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de | Sent: Tuesday, October 25, 2005 3:57 PM | To: [email protected] | Subject: RE: [ActiveDir] AD Lag Site | | | Hi, | Guido and Gil wrote a great ebook about recovery |whereas information about lagsites is included | Take a look at: |http://www.netpro.com/events/adrecovery/index.cfm (registration needed) | | For starters some tips: | * Place at least on DC for each domain in the lag site | * Allow the DCs in the lag site to register only the |replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT | * Don't assign WINS server IP addresses for the DCs in |the lag sites | * Make sure the site link between the lag site and the |hub site has a higher cost than all other site links that |connect the hub site and other sites (reason: Exchange AD |topology discovery for the out-of-site list of DCs/GCs) | *You might want to use lag sites (e.g. 2) that |replicate in steps (1st site replicates like each 3 days and |the other each week) whereas the second lag site is connected |to the first and the first is connected to the second and the hub site | | This might be expensive though and you also might have |a look at objectrecovery tools available by third party vendors | | Cheers, | Jorge | |________________________________ | | From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes | Sent: Tuesday, October 25, 2005 15:31 | To: [email protected] | Subject: [ActiveDir] AD Lag Site | | | Anyone have any pointers (documentation or real life |experience) on setting up an AD Lag Site? | | Thanks in advance, | | Shawn | | | | | This e-mail and any attachment is for authorised use by |the intended recipient(s) only. It may contain proprietary |material, confidential information and/or be subject to legal |privilege. It should not be copied, disclosed to, retained or |used by, any other party. If you are not an intended recipient |then please promptly delete this e-mail and any attachment and |all copies and inform the sender. Thank you. | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
