So much process to get the right stuff in place, but for vetting crazy restore policies? Not so much process… Sigh. Regards,
ASB http://XeeMe.com/AndrewBaker Providing Expert Technology Consulting Services for the SMB market… GPG:860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842 On Thu, Nov 17, 2016 4:55 PM, Webster [email protected] wrote: Yep, they are in a "highly secure" industry with federal oversight. When I proposed adding a 2008 R2 or 2012 R2 DC, it was quickly shot down by a list of acronyms I had never heard of before. They said they have to get security baselines for any server that is involved with authentication and it took so long to get for Server 2008 SP2 that have no interest in going thru it again. They were overjoyed when I told them 2008 SP2 was on extended support for almost another 3 years. I doubt I could get permission to write this up as an article because without screenshots, event log entries and dcdiag reports, it would be very difficult to explain and show what all happened. I guess I could just publish a series of black boxes connect by "a", "and", "the", "but", and "or" and call it a day.<redacted> story about <redacted> when <redacted> happened and<redacted> solved it. Thanks Webster From: [email protected] [mailto:[email protected]]On Behalf Of Andrew S. Baker Sent: Thursday, November 17, 2016 3:32 PM To: [email protected] Subject: Re: [NTSysADM] Update on the broken DFSR issue Too bad you can't write a book about this one. Regards, ASB http://XeeMe.com/AndrewBaker Providing Expert Technology Consulting Services for the SMB market… GPG:860D 40A1 4DA5 3AE1 B052 8F9F 07A1 F9D6 A549 8842 On Thu, Nov 17, 2016 2:16 PM, Webster [email protected] wrote: Boss man got on out GTM and explained the history of the issue. About a year ago they moved from FSR to DFSR for SYSVOL. Sometime after that, an admin who no longer works there, restored the main DC from a snapshot pre DFSR migration and pre adprep for 2008 R2. So you had the main DC now thought it was on schema 44 and the other thought it was on schema 47. One thought it was using DFSR and one thought it was using FRS. That admin attempted to trick the DCs thru a series or regedits and ADSIEdits. He then went and restored a copy of the SYSVOL tree to a file share and then copied and pasted that to both DCs. They have been operating in this screwed up, unreliable, non-steady state for over a year now. Three months ago (I was originally told two) the new admin comes in to all this fiasco and also tries to reverse the travesty thru a bunch of regedits and adsiedits. Why no one thought or bothered to get Microsoft support involved over a year ago is beyond me. I talked the boss into us getting Microsoft support involved. My co-worker who got me involved in this call is now getting an AD backup and will open a call with MS. When he finishes up with MS support, I will let you know "the rest of the story". Thanks Webster
