Hey Susan - many things work in SBS land, which would certainly hurt in other environments :-)
Just to clarify for non-SBS and/or non-single-DC environments: NEVER use a drive image to backup and restore your DCs => this will cause USN rollbacks and will certainly have a negative impact on the replication of changes between your DCs. Win2k3 SP1 has added special safety mechanisms that ensures replication does not happen with a DC when USN rollbacks are detected (SP1 doesn't fix a USN rollback, it just ensures that a DC which has been rolled back, e.g. by using drive images for backup/restore won't cause issues in AD). This is also explained in greater detail in the whitepaper I've referenced below (section "SP1 Improvement: Better protection for false restores of DCs as Virtual Servers"). /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Samstag, 14. Januar 2006 17:42 To: [email protected] Subject: Re: [ActiveDir] Single DC -- Authoritative or non-authoritative restore? Heck we even drive image single DCs around here and put them back and they work with no tombstone issues. Grillenmeier, Guido wrote: > not at all an idiot question - the most important piece you mention is > that it's a _/single/_ DC environment. This means it doesn't have any > other DCs that it replicates with or that it needs to update with > "authoritatively restored" objects. > > So in this case, you never need to do an auth. restore - even if you > were to recover deleted objects (which I release you are not). > > And even if you had multiple DCs - if you're "just" recovering a > failed DC and do not need to recover deleted objects, you'd typcially > not want an auth. restore either: the restored DC would catch up with > the changes of the environment (that happened since the last backup) > from another DC it's replicating with. > > for more details, see this whitepaper, which Gil and I > wrote: https://my.netpro.com/secure/addisasterrecovery.cfm?tid=10 (or > http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Par t-I.pdf for > the first part of it). > > /Guido > > ------------------------------------------------------------------------ > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *RM > *Sent:* Samstag, 14. Januar 2006 09:29 > *To:* [email protected] > *Subject:* [ActiveDir] Single DC -- Authoritative or non-authoritative > restore? > > Hi all, > > AD disaster recovery is one of my weak areas. > > This weekend, I'll possibly be faced with restoring a non-booting DC. > Unless I can get it to boot, I'll need to restore from tape (Veritas > 9.0). My question is whether or not I'll need to run NTDSUTIL after > restoring the system state. This is a small single DC environment, so > the usual situation of having the restored AD objects overwritten by > the Borg Collective does not apply. :-) > > Also, I'm assuming that after running through a reinstall of Windows > 2000, the system will no longer be DC until the system state data has > been restored? > > Thanks for allowing me this idiot question... > > RM > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
