Good question... The same problem still applies... although a difference exists in which Forest Functional Level you are at and it also depends if you are using W2K3SP1 or not Why? Assuming that in both occasions the lag site DCs are also GC OCCASION 1: Forest Functional Level = Windows 2000 When an object gets deleted that is a member of one or more groups the version number of the member attribute is not changed. (only the object deletion increases the USN on each DC, not the removal of the membership) So in the "other sites" you have a tombstone and groups (the object was a member of) where the object is not a member of anymore. In the lag site you have DCs with the object still alive and when you auth. restore it, the object gets a higher version (and the USN on that DC is also increased). The groups still contain the object in its member attribute with the same version number (but the USN is not increased for this). So when you force replication the object will replicate in to the other sites and as the group version (or member attribute in fact) still has the same version you will have inconsistent membership across DCs. To resolve this you also need to auth. restore the groups the object was a member of (so the version is increased and the USN on the DCs). For this you can look at the "member of" attribute and see the memberships of the object in its own domain (global, universal and domain local) and universal groups in other domains. You will however not be able to see its memberships in domain local groups in other domains than the object itself. For those groups (in its own domain) you can remove the object and re-add it. For the other domains you can query the group where the user is a member of and do the same (remove and re-add) (using the lag site DCs of the other domains). This way the object is re-introduced including its memberships. If the DCs are W2K3 SP1 you will have additional functionality provided by NTDSUTIL. During the auth. restore of the objects it spits out some LDIF files by looking at the "member of" attribute of the object (and other back-links like directreports and managedobjects). These LDIF files contain information to remove the object from the groups in its own domain and all universal groups and after that re-add them again. After auth. restoring the object you need to import each LDIF file at its corresponding domain (for its own domain for all group types and for other domains only for the universal groups) That still does not solve the problem for domain local groups in other domains than the object itself. For that NTDSUTIL spits out another file that contains the restored objects. For each other domain than the restored object you use NTDSUTIL at a corresponding DC and tell NTDSUTIL to create a LDIF file from that file containing the restored objects. After doing that you can import that file into the corresponding domain. OCCASION 2: Forest Functional Level = Windows 2003 or Interim As you may know FFL W2K3 introduces LVR. When a group is created or a NEW member is added to a group after enabling LVR (increasing FFL to W2K3 or interim) it also keeps versions on the member attribute and when a member is removed from a group it also tombstones the membership in the member attribute of the group. In that case you will only need to restore the object where its memberships in groups in its own doman will be revived again and getting a higher version (and USN increase on the DC) which makes it replicate to other DCs in the same domain. For the other domains the problem still applies and you need to do the same as in occasion 1 depending if you have W2K3 SP1 or not! For groups that were created before enabling LVR, these groups still behave after enabling LVR as before enabling LVR. The issues apply as in occasion 1. To remedy this for recovery purposes and thus enabling LVR fully for all the members in those groups you could remove all members and re-add them again. Concerning this see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1465d773-b763-45ec-b971-c23cdc27400e.mspx and search for "Effect of Raising the Forest Functional Level on Existing Linked, Multivalued Attributes" I hope I have explained it correctly as this is a difficult one (at least to explain it correctly). For more info on NTDSUTIL in SP1 (for restoring objects) see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx (and sub levels!) http://support.microsoft.com/?id=840001 Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Wed 10/26/2005 10:14 PM To: [email protected] Subject: RE : [ActiveDir] AD Lag Site -> solves the groups memberships issue ? Hi, A question comes to me.... Can the lag site strategy solve the issue concerning the auth restore of the group memberships information for the deleted users and computers accounts from AD ? Or do we still need to follow the directives as stated in the "How to restore deleted user accounts and their group memberships in Active Directory" (see http://support.microsoft.com/default.aspx?scid=kb;en-us;840001 <http://support.microsoft.com/default.aspx?scid=kb;en-us;840001> ) in order to repopulate the group memberships information (member and memberof attributes). Yann ________________________________ De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner Date: mer. 26/10/2005 21:35 À: [email protected] Objet : RE: [ActiveDir] AD Lag Site Keep in mind that Lag-Sites are not intended for the "I did something wrong some weeks ago" errors, they are only for "Uups - I just deleted something". And to make sure that you are able to "undelete" every object no matter when you made the mistake (e.g. one minute before replication to the lag-site) the idea of two or more lag-sites with different schedules jump in. Like the examples I provided with two sitelinks replicating once a week but half a week apart make sure that you have at least a 3.5 old version of the object in one of the lag sites. Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Wednesday, October 26, 2005 8:08 PM |To: [email protected]; [email protected] |Subject: RE: [ActiveDir] AD Lag Site | |yes... IF the detection of the deletion is BEFORE the |replication window to the lag site. Otherwise the tombstone |will replicate to the lag site also. It is just a extra |opportunity for you to make a deletion undone without doing a |non-auth restore! | |As the object and its metadata still exists on the replica of |the DC, there is no need to do a non-auth restore. Therefore |you need to do only an auth restore so the version becomes |higher than then deleted object and the deletion is undone. |Of course you will still need to do a non-auth restore |followed by a auth restore if the detection of the deletion is |after the replication window to the lag site | |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of TIROA YANN |Sent: Wed 10/26/2005 4:12 PM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |......if i understand correctly what Activedir gurus explained |to me earlier, |-> Without a lag site, you must do a non-auth restore followed |by a auth restore. |-> With a lag site, you only need to do a auth restore. | |I'm right ? :) | |Yann | |________________________________ | |De : [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] De la part de |CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À : |[email protected] Objet : RE: [ActiveDir] AD Lag Site | | |More so for deletion of objects so you wouldn't have to do an |authoritative restore from a backup. | | |David Chianese | | |________________________________ | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell |Sent: Wednesday, October 26, 2005 9:23 AM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |I'm sorry if I sound ignorant, but what is the purpose of a |"lag site"? Is it a site that you don't replicate for a |specific period of time in so if there is a disaster, you can |get the data from the lag site?? | |Thanks | |Russ | |________________________________ | |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf |B. Simon-Weidner |Sent: Tuesday, October 25, 2005 5:00 PM |To: [email protected] |Subject: RE: [ActiveDir] AD Lag Site | | |I did those too, and some other things to consider were: |* Putting them inside a virtual machine with faked Subnetting |in AD: Take a class C Network and split it in AD Sites and |Services, not TCP/IP, then you can spare the router |* Assign the site membership for the host via GPO if it is in |one of the virtual subnets of the virtual lag-dcs (depending |on the subnetting possibilities you have) |* Configure a firewall between the sites to make sure the |machienes only talk to the ones they are supposed to (if available) |* Use scripting to shut down virtual networks if available in |the times they are not supposed to replicate |* Make sure that you configure replication that it runs a |couple times during the allowed timeframe |* Configure terminal services access on the lag DCs |* Configure boot.ini to be able to boot into DSRM by changing |the default without querying for the boot.ini parameter when necessary. | |For the replication I usually configured replication every 15 |minutes (the Lag-Sites were on the same LAN), Site 1 |replicates Tuesday 10pm to Wednesday 2am, Site 2 replicates |Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week apart). | |Ulf | | |________________________________ | | From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de | Sent: Tuesday, October 25, 2005 3:57 PM | To: [email protected] | Subject: RE: [ActiveDir] AD Lag Site | | | Hi, | Guido and Gil wrote a great ebook about recovery |whereas information about lagsites is included | Take a look at: |http://www.netpro.com/events/adrecovery/index.cfm (registration needed) | | For starters some tips: | * Place at least on DC for each domain in the lag site | * Allow the DCs in the lag site to register only the |replication record (CNAME) in the DNS zone _MSDCS.FORESTROOT | * Don't assign WINS server IP addresses for the DCs in |the lag sites | * Make sure the site link between the lag site and the |hub site has a higher cost than all other site links that |connect the hub site and other sites (reason: Exchange AD |topology discovery for the out-of-site list of DCs/GCs) | *You might want to use lag sites (e.g. 2) that |replicate in steps (1st site replicates like each 3 days and |the other each week) whereas the second lag site is connected |to the first and the first is connected to the second and the hub site | | This might be expensive though and you also might have |a look at objectrecovery tools available by third party vendors | | Cheers, | Jorge | |________________________________ | | From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes | Sent: Tuesday, October 25, 2005 15:31 | To: [email protected] | Subject: [ActiveDir] AD Lag Site | | | Anyone have any pointers (documentation or real life |experience) on setting up an AD Lag Site? | | Thanks in advance, | | Shawn | | | | | This e-mail and any attachment is for authorised use by |the intended recipient(s) only. It may contain proprietary |material, confidential information and/or be subject to legal |privilege. It should not be copied, disclosed to, retained or |used by, any other party. If you are not an intended recipient |then please promptly delete this e-mail and any attachment and |all copies and inform the sender. Thank you. | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
