BTW, if you have snapshot based backup you _can_ backup and just restore only the AD data (dit, log, and chk), and it will work w/o USN rollback correctly. We used to run quick tests like that all the time, but ONLY validated that the DS / AD didn't break. That doesn't make it supported. BTW, it is in fact _not supported_.
There are an unknown # of components (AD itself, SAM, LSA, Kerberos, NTLM, AuthZ, etc ... just about anything DS or security related) that may have a dependency on some random part of AD and some random part of Registry data staying in sync ... we don't know what breaks when you restore one w/o the other ... this is why it is unsupported ... and almost completely untested ... but why let that dissuade you, you're a pioneer right. ;) The most obvious case of this, would be if you restored a DIT from one domain, to the DIT folder for a DC in another domain, replacing it's DIT. Would that work, almost guaranteed there would be security issues. That's of course the extreme case, and one easy to avoid, we don't know the inbetween cases. Cheers, -BrettSh [msft] On Fri, 18 Aug 2006, Yann wrote: > Hello Jorge, > > Thanks for clarification. > I will check next week if i have no issues with usn rollback :( . > > Yann > > "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a ?crit : > when a DC is restored from the system state (amongst others): > * the restored RID pool is thrown away (invalidated) and a new RID pool is > requested at the RID master > * the invocation ID of the AD DB is changed (which prevent USN rollbacks) > > so in your case it works because the backup is not that old. The AD DB is > tightly coupled with the registry and there is a reason for that! The reason > as why you MUST restore the system state as MS says. The way you are doing > that is, how shall I say it gently....NOT SUPPORTED! ;-) > And I guess you will be hitting on USN Rollback. See my blog and search for > BACKUP and you will find an article with some more info > > jorge > > > --------------------------------- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann > Sent: Tuesday, August 08, 2006 22:47 > To: [email protected] > Subject: [ActiveDir] backup and restore AD. > > > > Hello, > > I had question about D backup & restore. > It is possible to backup AD in 2 ways: > 1) backup only the system state. > 2) backup system state & file system containing the AD working directory > (ntds.dit, edb.chk, Edb*.log,Res1.log and Res2.log). > > MS states that u have to restore your AD by restoring the system state. > But ,what about just restoring the AD working directory without system > state ? I tested it and that works fine. > So my question is: > => In what circumstances do i have to choose a restore from system state or > a restore from AD working directory. > > Thanks for clarification, > > Yann > > > --------------------------------- > D?couvrez un nouveau moyen de poser toutes vos questions quelque soit le > sujet ! Yahoo! Questions/R?ponses pour partager vos connaissances, vos > opinions et vos exp?riences. Cliquez ici. > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. > > > > --------------------------------- > D?couvrez un nouveau moyen de poser toutes vos questions quelque soit le > sujet ! Yahoo! Questions/R?ponses pour partager vos connaissances, vos > opinions et vos exp?riences. Cliquez ici. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
