I found http://support.microsoft.com/kb/875495 on the subject of USN rollbacks
and it does look like imaging a DC will cause more work than it solves. I'll
probably retain the method for non-DCs.
I'll have to set up a second CA and propagate the certificates to all
requesting tomcat servers to give some failover. Unfortunately, tomcat isn't
MS domain aware so they'll have to be explicitly told to look to another DC in
the event the current fails. sadly this process is far less automatic than i'd
hoped.
another possibility would be something like DoubleTake to make the entire box
redundant. it's just pricier than I'd hoped.
One confusing thing about USN rollback is there appears to be little
distinction between restoring an old image to a DC vs simply unplugging the
ethernet cable for a while. In both cases the DC has out of date USNs &
vectors, it would seem.
Thanks for your help and suggestions with this!
~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
