De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Almeida Pinto, Jorge de
Envoyé : mercredi 26 octobre 2005 23:48
À : [email protected]
Objet : RE: [ActiveDir] AD Lag Site -> solves the groups memberships issue ?
When an object gets deleted that is a member of one or more groups the version number of the member attribute is not changed. (only the object deletion increases the USN on each DC, not the removal of the membership)
So in the "other sites" you have a tombstone and groups (the object was a member of) where the object is not a member of anymore.
In the lag site you have DCs with the object still alive and when you auth. restore it, the object gets a higher version (and the USN on that DC is also increased). The groups still contain the object in its member attribute with the same version number (but the USN is not increased for this). So when you force replication the object will replicate in to the other sites and as the group version (or member attribute in fact) still has the same version you will have inconsistent membership across DCs. To resolve this you also need to auth. restore the groups the object was a member of (so the version is increased and the USN on the DCs). For this you can look at the "member of" attribute and see the memberships of the object in its own domain (global, universal and domain local) and universal groups in other domains. You will however not be able to see its memberships in domain local groups in other domains than the object itself. For those groups (in its own domain) you can remove the object and re-add it. For the other domains you can query the group where the user is a member of and do the same (remove and re-add) (using the lag site DCs of the other domains). This way the object is re-introduced including its memberships.
That still does not solve the problem for domain local groups in other domains than the object itself. For that NTDSUTIL spits out another file that contains the restored objects. For each other domain than the restored object you use NTDSUTIL at a corresponding DC and tell NTDSUTIL to create a LDIF file from that file containing the restored objects. After doing that you can import that file into the corresponding domain.
As you may know FFL W2K3 introduces LVR. When a group is created or a NEW member is added to a group after enabling LVR (increasing FFL to W2K3 or interim) it also keeps versions on the member attribute and when a member is removed from a group it also tombstones the membership in the member attribute of the group. In that case you will only need to restore the object where its memberships in groups in its own doman will be revived again and getting a higher version (and USN increase on the DC) which makes it replicate to other DCs in the same domain. For the other domains the problem still applies and you need to do the same as in occasion 1 depending if you have W2K3 SP1 or not!
For groups that were created before enabling LVR, these groups still behave after enabling LVR as before enabling LVR. The issues apply as in occasion 1. To remedy this for recovery purposes and thus enabling LVR fully for all the members in those groups you could remove all members and re-add them again.
Concerning this see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1465d773-b763-45ec-b971-c23cdc27400e.mspx and search for "Effect of Raising the Forest Functional Level on Existing Linked, Multivalued Attributes"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx (and sub levels!)
http://support.microsoft.com/?id=840001
Jorge
From: [EMAIL PROTECTED] on behalf of TIROA YANN
Sent: Wed 10/26/2005 10:14 PM
To: [email protected]
Subject: RE : [ActiveDir] AD Lag Site -> solves the groups memberships issue ?
De: [EMAIL PROTECTED] de la part de Ulf B. Simon-Weidner
Date: mer. 26/10/2005 21:35
À: [email protected]
Objet : RE: [ActiveDir] AD Lag Site
Keep in mind that Lag-Sites are not intended for the "I did
something wrong
some weeks ago" errors, they are only for "Uups - I just
deleted something".
And to make sure that you are able to "undelete" every
object no matter when
you made the mistake (e.g. one minute before
replication to the lag-site)
the idea of two or more lag-sites with different
schedules jump in. Like the
examples I provided with two sitelinks
replicating once a week but half a
week apart make sure that you have at
least a 3.5 old version of the object
in one of the lag
sites.
Ulf
|-----Original Message-----
|From:
[EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]
On Behalf Of
|Almeida Pinto, Jorge de
|Sent: Wednesday, October 26, 2005
8:08 PM
|To: [email protected];
[email protected]
|Subject: RE: [ActiveDir] AD Lag
Site
|
|yes... IF the detection of the deletion is BEFORE
the
|replication window to the lag site. Otherwise the tombstone
|will
replicate to the lag site also. It is just a extra
|opportunity for you to
make a deletion undone without doing a
|non-auth restore!
|
|As the
object and its metadata still exists on the replica of
|the DC, there is no
need to do a non-auth restore. Therefore
|you need to do only an auth restore
so the version becomes
|higher than then deleted object and the deletion is
undone.
|Of course you will still need to do a non-auth restore
|followed
by a auth restore if the detection of the deletion is
|after the replication
window to the lag
site
|
|Jorge
|
|________________________________
|
|From:
[EMAIL PROTECTED] on behalf of TIROA YANN
|Sent: Wed
10/26/2005 4:12 PM
|To: [email protected]
|Subject: RE:
[ActiveDir] AD Lag Site
|
|
|......if i understand correctly what
Activedir gurus explained
|to me earlier,
|-> Without a lag site, you
must do a non-auth restore followed
|by a auth restore.
|-> With a lag
site, you only need to do a auth restore.
|
|I'm right ?
:)
|
|Yann
|
|________________________________
|
|De :
[EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]
De la part de
|CHIANESE, DAVID Envoyé : mercredi 26 octobre 2005 15:59 À
:
|[email protected] Objet : RE: [ActiveDir] AD Lag
Site
|
|
|More so for deletion of objects so you wouldn't have to do
an
|authoritative restore from a backup.
|
|
|David
Chianese
|
|
|________________________________
|
|From:
[EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]
On Behalf Of Etts, Russell
|Sent: Wednesday, October 26, 2005 9:23 AM
|To:
[email protected]
|Subject: RE: [ActiveDir] AD Lag
Site
|
|
|I'm sorry if I sound ignorant, but what is the purpose of
a
|"lag site"? Is it a site that you don't replicate for a
|specific
period of time in so if there is a disaster, you can
|get the data from the
lag
site??
|
|Thanks
|
|Russ
|
|________________________________
|
|From:
[EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]
On Behalf Of Ulf
|B. Simon-Weidner
|Sent: Tuesday, October 25, 2005 5:00
PM
|To: [email protected]
|Subject: RE: [ActiveDir] AD Lag
Site
|
|
|I did those too, and some other things to consider
were:
|* Putting them inside a virtual machine with faked Subnetting
|in
AD: Take a class C Network and split it in AD Sites and
|Services, not
TCP/IP, then you can spare the router
|* Assign the site membership for the
host via GPO if it is in
|one of the virtual subnets of the virtual lag-dcs
(depending
|on the subnetting possibilities you have)
|* Configure a
firewall between the sites to make sure the
|machienes only talk to the ones
they are supposed to (if available)
|* Use scripting to shut down virtual
networks if available in
|the times they are not supposed to replicate
|*
Make sure that you configure replication that it runs a
|couple times during
the allowed timeframe
|* Configure terminal services access on the lag
DCs
|* Configure boot.ini to be able to boot into DSRM by changing
|the
default without querying for the boot.ini parameter when necessary.
|
|For
the replication I usually configured replication every 15
|minutes (the
Lag-Sites were on the same LAN), Site 1
|replicates Tuesday 10pm to Wednesday
2am, Site 2 replicates
|Saturday 10am to 2pm (each 4 hrs, exactly 1/2 Week
apart).
|
|Ulf
|
|
|________________________________
|
|
From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]
On Behalf Of
|Almeida Pinto, Jorge
de
| Sent: Tuesday, October 25, 2005 3:57
PM
| To:
[email protected]
| Subject:
RE: [ActiveDir] AD Lag
Site
|
|
|
Hi,
| Guido and Gil wrote a great ebook
about recovery
|whereas information about lagsites is
included
| Take a look at:
|http://www.netpro.com/events/adrecovery/index.cfm
(registration
needed)
|
|
For starters some tips:
| * Place at
least on DC for each domain in the lag
site
| * Allow the DCs in the lag site to
register only the
|replication record (CNAME) in the DNS zone
_MSDCS.FORESTROOT
| * Don't assign WINS
server IP addresses for the DCs in
|the lag
sites
| * Make sure the site link between
the lag site and the
|hub site has a higher cost than all other site links
that
|connect the hub site and other sites (reason: Exchange AD
|topology
discovery for the out-of-site list of
DCs/GCs)
| *You might want to use lag
sites (e.g. 2) that
|replicate in steps (1st site replicates like each 3 days
and
|the other each week) whereas the second lag site is connected
|to the
first and the first is connected to the second and the hub
site
|
|
This might be expensive though and you also might have
|a look at
objectrecovery tools available by third party
vendors
|
|
Cheers,
|
Jorge
|
|________________________________
|
|
From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED]]
On Behalf Of Shawn Hayes
| Sent: Tuesday,
October 25, 2005 15:31
| To:
[email protected]
| Subject:
[ActiveDir] AD Lag
Site
|
|
|
Anyone have any pointers (documentation or real life
|experience) on setting
up an AD Lag
Site?
|
|
Thanks in
advance,
|
|
Shawn
|
|
|
|
|
This e-mail and any attachment is for authorised use by
|the intended
recipient(s) only. It may contain proprietary
|material, confidential
information and/or be subject to legal
|privilege. It should not be copied,
disclosed to, retained or
|used by, any other party. If you are not an
intended recipient
|then please promptly delete this e-mail and any
attachment and
|all copies and inform the sender. Thank you.
|
|List
info : http://www.activedir.org/List.aspx
|List
FAQ : http://www.activedir.org/ListFAQ.aspx
|List
archive:
|http://www.mail-archive.com/activedir%40mail.activedir.org/
|
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
