RE: [ActiveDir] AD DR - replication lag site----Why?

[Myrick, Todd (NIH/CC/DNA)]

Using the powers of the MVP, I now officially pronounce this thread as
complete :)

Todd

-Original Message-
From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] 
Sent: Sunday, May 22, 2005 4:12 PM
To: 'joe '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

(1)
In the Netherlands when you own a car and you drive with it, by law you at
least must have a basic insurance that covers liability. This simply means
that when you cause damage with your car the other party gets paid to repair
their damage. You, however, have to pay for your own damage.
This is for those cases when most people cannot affort such high costs. This
also applies to situations in IT. You'll always have to answer: how much can
you affort when this or that occurs?

What I'm trying to say here is: you implement a certain solution to
accomodate those situations (in solving) when errors have been made by
persons. People simply make mistakes and I agree it is better to prevent
errors against repairing them. But again it is not always possible, because
it costs too much money, or they simply don't care or they are not aware of
the damage that can come from it, etc.. How many times have you heard it
will not happen to me, only to others
There are also a lot of people that only understand (or get interested in)
what you are trying to say/explain when they are in deep sh*t. But then...
it's too late and much more expensive solutions/activities must be used if
sometimes a solution exists for the occasion. 
It is always the choice between: trying to save money now and spend a crap
load later each time it happens or spend a little bit of money now and
spend less money later. I believe in spending money now to save later
(long-term thought). A lot of managers only think about spending as little
money as possible. Eventual problems in the future are not problems at the
moment (short term thought)

(2)
 When I say rollback, there is nothing left of the forest to get a USN 
rollback and no worries of TLS.

I understand that an old state of the virtual environment is only used when
ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some
of the activities mentioned in the MS DR WP are done like resetting all
kinds of accounts/trusts)
When I think about it now, you are right, I made a mistake, sorry for that.
Yes, when giving life to virtual DCs that belong to the same old state of
the virtual environment all those virtual DCs know about the state of the
other DCs in the virtual environment.
I do believe this solution provides a very fast recovery of the first DCs in
the forest to be rebuild.
With this solution and using the native way (restoring a backup) when the
tombstone lifetime has passed (the virtual environment state of the backups
used) you will experience event 2042 on all DCs (Event ID 2042: It has been
too long since this machine replicated)

After bringing the initial environment up you need to execute the steps as
mentioned in the MS DR white paper.
You especially need to think if everything really is down or the corrupt
forest is still up to provide functionalities for the users while restoring
a new forest in parallel.
And yes, there are a lot of decisions to be made and each IS different for
each company

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/22/2005 7:05 PM
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

1.

 I assume almost everyone has an insurance policy for their house if it
burns down.

In the US, you can't get a mortgage unless you get insurance. Ditto
cars,
loans require full coverage and local law enforcement requires some
minimal
level of insurance, you have no choice in the matter. A lot of people
buy
insurance not because they want it or would get it themselves, but
because
some requirement forces them to. Buying insurance is like enforced
gambling,
you are forced to pay to gamble that your house will burn down or you
will
crash your car. Insurance companies who set the prices and hence the
profit
are gambling you won't have an issue and have weighted the payoff
accordingly. If you ever take advantage of that insurance, you are
pretty
much guaranteed to see an increase in your rates at some future point
for
taking advantage. Of course you are also quite likely to get an increase
when Dean's house gets whacked by a hurricane as well. 

Insurance on cars and houses is not an optimal example. Maybe one that
is
closer would be the optional insurance you can get for car malfunctions
or
electronics or even MS Software... AKA service contracts. Mr. Jones you
should protect this TV because it could possibly fail in the next year
and
you don't want that expense Mr. Jones, you should protect this MS
environment because you may have something fail in the next year and you
don't want that expense. Of course, the first thing people start to
wonder

RE: [ActiveDir] AD DR - replication lag site----Why?

[Grillenmeier, Guido]

oh, gee, I'm too late - but I had a great weekend ;-))

I'd have to say (and all the posts show themselves) that there is no single 
right or wrong answers to lag sites.  It's one building block to mastering AD 
DR and may very well apply more for larger companies than for smaller ones 
(it's tougher to restore a multi-gig DB than it is to restore a few hundred 
megs, prior to perform an auth. restore).  I've been using and implementing 
them successfully but am not recommending them for everyone.  And we're also 
using them at HP and have been quite happy with them (you do recover stuff 
easily, which you would otherwise simply not bother to recover...)  And I also 
like how other 3rd party tools handle recovery - but those are also not 
applicable for all customers.

Great thread - it's a good overview about the vast range of differnt oppinions 
on such a fairly exotic topic.

Cheers,
Guido

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Montag, 23. Mai 2005 13:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD DR - replication lag siteWhy?

haha, ok so you MVPs also have these special powers.  

Very good thread and thanks to all.   This is a subject I didn't know
much about until this thread came along.  Thanks to Todd, Joe, Jorge
and everyone else that contributed.



On 5/23/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote:
 Using the powers of the MVP, I now officially pronounce this thread as
 complete :)
 
 Todd
 
 -Original Message-
 From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
 Sent: Sunday, May 22, 2005 4:12 PM
 To: 'joe '; '[EMAIL PROTECTED] ';
 'ActiveDir@mail.activedir.org '
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
 (1)
 In the Netherlands when you own a car and you drive with it, by law you at
 least must have a basic insurance that covers liability. This simply means
 that when you cause damage with your car the other party gets paid to repair
 their damage. You, however, have to pay for your own damage.
 This is for those cases when most people cannot affort such high costs. This
 also applies to situations in IT. You'll always have to answer: how much can
 you affort when this or that occurs?
 
 What I'm trying to say here is: you implement a certain solution to
 accomodate those situations (in solving) when errors have been made by
 persons. People simply make mistakes and I agree it is better to prevent
 errors against repairing them. But again it is not always possible, because
 it costs too much money, or they simply don't care or they are not aware of
 the damage that can come from it, etc.. How many times have you heard it
 will not happen to me, only to others
 There are also a lot of people that only understand (or get interested in)
 what you are trying to say/explain when they are in deep sh*t. But then...
 it's too late and much more expensive solutions/activities must be used if
 sometimes a solution exists for the occasion.
 It is always the choice between: trying to save money now and spend a crap
 load later each time it happens or spend a little bit of money now and
 spend less money later. I believe in spending money now to save later
 (long-term thought). A lot of managers only think about spending as little
 money as possible. Eventual problems in the future are not problems at the
 moment (short term thought)
 
 (2)
  When I say rollback, there is nothing left of the forest to get a USN
 rollback and no worries of TLS.
 
 I understand that an old state of the virtual environment is only used when
 ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some
 of the activities mentioned in the MS DR WP are done like resetting all
 kinds of accounts/trusts)
 When I think about it now, you are right, I made a mistake, sorry for that.
 Yes, when giving life to virtual DCs that belong to the same old state of
 the virtual environment all those virtual DCs know about the state of the
 other DCs in the virtual environment.
 I do believe this solution provides a very fast recovery of the first DCs in
 the forest to be rebuild.
 With this solution and using the native way (restoring a backup) when the
 tombstone lifetime has passed (the virtual environment state of the backups
 used) you will experience event 2042 on all DCs (Event ID 2042: It has been
 too long since this machine replicated)
 
 After bringing the initial environment up you need to execute the steps as
 mentioned in the MS DR white paper.
 You especially need to think if everything really is down or the corrupt
 forest is still up to provide functionalities for the users while restoring
 a new forest in parallel.
 And yes, there are a lot of decisions to be made and each IS different for
 each company
 
 Cheers
 #JORGE#
 
 -Original Message-
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: 5/22/2005 7:05 PM
 Subject: RE: [ActiveDir] AD DR

RE: [ActiveDir] AD DR - replication lag site----Why?

[deji]

Guido,
 
You had to go have a great weekend AND then have to post after the thread
has been declared complete. 2 infractions!. Your Dining Services MVP status
is now officially suspended - by the special power invested in Todd :)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Mon 5/23/2005 10:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?



oh, gee, I'm too late - but I had a great weekend ;-))

I'd have to say (and all the posts show themselves) that there is no single
right or wrong answers to lag sites.  It's one building block to mastering AD
DR and may very well apply more for larger companies than for smaller ones
(it's tougher to restore a multi-gig DB than it is to restore a few hundred
megs, prior to perform an auth. restore).  I've been using and implementing
them successfully but am not recommending them for everyone.  And we're also
using them at HP and have been quite happy with them (you do recover stuff
easily, which you would otherwise simply not bother to recover...)  And I
also like how other 3rd party tools handle recovery - but those are also not
applicable for all customers.

Great thread - it's a good overview about the vast range of differnt
oppinions on such a fairly exotic topic.

Cheers,
Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Montag, 23. Mai 2005 13:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD DR - replication lag siteWhy?

haha, ok so you MVPs also have these special powers. 

Very good thread and thanks to all.   This is a subject I didn't know
much about until this thread came along.  Thanks to Todd, Joe, Jorge
and everyone else that contributed.



On 5/23/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote:
 Using the powers of the MVP, I now officially pronounce this thread as
 complete :)

 Todd

 -Original Message-
 From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
 Sent: Sunday, May 22, 2005 4:12 PM
 To: 'joe '; '[EMAIL PROTECTED] ';
 'ActiveDir@mail.activedir.org '
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 (1)
 In the Netherlands when you own a car and you drive with it, by law you at
 least must have a basic insurance that covers liability. This simply means
 that when you cause damage with your car the other party gets paid to
repair
 their damage. You, however, have to pay for your own damage.
 This is for those cases when most people cannot affort such high costs.
This
 also applies to situations in IT. You'll always have to answer: how much
can
 you affort when this or that occurs?

 What I'm trying to say here is: you implement a certain solution to
 accomodate those situations (in solving) when errors have been made by
 persons. People simply make mistakes and I agree it is better to prevent
 errors against repairing them. But again it is not always possible, because
 it costs too much money, or they simply don't care or they are not aware of
 the damage that can come from it, etc.. How many times have you heard it
 will not happen to me, only to others
 There are also a lot of people that only understand (or get interested in)
 what you are trying to say/explain when they are in deep sh*t. But then...
 it's too late and much more expensive solutions/activities must be used if
 sometimes a solution exists for the occasion.
 It is always the choice between: trying to save money now and spend a crap
 load later each time it happens or spend a little bit of money now and
 spend less money later. I believe in spending money now to save later
 (long-term thought). A lot of managers only think about spending as little
 money as possible. Eventual problems in the future are not problems at the
 moment (short term thought)

 (2)
  When I say rollback, there is nothing left of the forest to get a USN
 rollback and no worries of TLS.

 I understand that an old state of the virtual environment is only used when
 ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some
 of the activities mentioned in the MS DR WP are done like resetting all
 kinds of accounts/trusts)
 When I think about it now, you are right, I made a mistake, sorry for that.
 Yes, when giving life to virtual DCs that belong to the same old state of
 the virtual environment all those virtual DCs know about the state of the
 other DCs in the virtual environment.
 I do believe this solution provides a very fast recovery of the first DCs
in
 the forest to be rebuild.
 With this solution and using the native way (restoring a backup) when the
 tombstone lifetime has passed (the virtual environment state of the backups
 used) you

RE: [ActiveDir] AD DR - replication lag site----Why?

[Jorge de Almeida Pinto]

Hi,

In my opinion the following recovery situations exist when it comes to AD:
(1) Accidental object deletions
(2) Your forest/domain drops dead
(3) A DC drops dead

(1) Accidental object deletions
I agree with Joe that people should only have those permissions needed to do
their work and this should be configured accordingly. I also agree that not
too many people should have domain/enterprise admin permissions. However in
the real world this is not always possible because of lot of reasons
(history , politics, etc.) Organizations are not 100% perfect, that's a fact
also. Looking at the future and preparing for the worst, solutions are
implemented to mitigate those risks. Costs are made in advance to save time
and money in the future. It's somehow like an insurance policy. When
something goes wrong I have something to fall back on. I assume almost
everyone has an insurance policy for their house if it burns down. How many
times will you use that insurance policy in your lifetime? Never if you're
lucky... once if you're in bad luck... twice if you're in really bad luck!
In the case of accidental objects deletions customers need/want a solution!
What is that solution? Is it a lag site, is it a tool like Quest Recovery
Manager, is it a tool like Guido's tool, is it something else I/we still
don't know about? It all depends on the functionality needed by the customer
and the cost to implement and maintain the tool/solution.

In my opinion a LAG is one of those solutions for accidental object
deletions, as always and only when implemented correctly.

Joe (and others), you don't recommend setting up lag sites as there could be
a better answer. What is that better answer in your opinion? What would you
do if a customer said to you: I want to have ADMIN rights and I want to be
able to delete objects in my forest/domain and I want you to provide a
solution for me if I delete the wrong objects (The answer: take away admin
rights is not an option ;-)) ) What is your solution for accidental object
deletions? That is what I'm interested in.

In the end there is a big difference between being right and getting it!

(2) Your forest drops dead
I don't think LAG sites are a solution when your forest drops dead,
especially in a large environment. What's the primary goal to acchieve when
your forest drops dead (and what's the second?)? (please give me answers..)
When the forest drops dead, nobody can do anything anymore.
In my opinion the first goal to acchieve is to get everything up and running
as fast as possible and provide for the max. of functionality as possible to
the end users. In my opinion the second goal is to repair the health of the
forest and if it is really screwed rebuild it. So for this you need a
procedure that accomodates those situations.
I always hear everyone talk about a forest recovery as in rebuilding the
forest from scratch. Rebuilding a forest because it dropped dead should be
(again in my opinion) the last step ever taken because this means you're
going back in time and therefore you will loose info. I believe that there
exists more between a healthy forest and a forest that needs to be rebuild.
Do you guys agree?

As for the virtualized environment that can be rolled back to any point in
time I think that can be part of a solution to start rebuilding a forest.
However I do think you have to be carefull with this because of USN
rollback, tombstone lifetime and replication and maybe some other stuff as
the DCs are (I think) not recovered using the native MS way. At DEC I heart
Dean and Joe and some other guys talk about this method. Unfortunately I did
not hear the complete story behind this and to be honest I have not put any
time to it to think about it and how it may work as a quick start for a
forest rebuild 

(3) A DC drops dead
We all know this one.
Restore the DC from a backup or do a metadata cleanup and rebuild the DC
from scratch

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/22/2005 1:15 AM
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Reread it Deji, I really am not agreeing with it. I noted that it might
be
something that could be used for whole forest corruption but I would way
prefer a virtualized environment that can be rolled back to any point in
time over a site lagging behind the main AD in *hopes* that it didn't
get
poisoned. 

To make it more obvious I guess, I don't recommend lag sites. However, I
don't recommend people tear them down if they have them. Mostly I don't
recommend setting them up in the first place unless they are fully aware
of
why they are doing it and why they think there is no better answer.
Technology doesn't often successfully make up for bad policy.

What I recommend is that they batton down the hatches even if they think
they can't because it is has always been this way or because some Exec
who
needs to be taught better thinks L1 Help Desk should be able to delete
things

RE: [ActiveDir] AD DR - replication lag site----Why?

[Dan Holme]

I think Jorge summarized the issue quite well, and pointed out some important 
considerations.  I hope MS is paying attention to this thread b/c there are 
some customer needs here that would be (I think) easy to address in future 
releases.

1) I do know that there are some VERY large companies who are using or are just 
about to start using lag sites.  They seem to them to be enough of a viable 
option that they're becoming more popular.  Hopefully MS *will* come through 
with guidance so that lag sites can be a supported option for recovery from 
accidental object deletion.

2) Virtualization rollback is a very sketchy option b/c of USN rollback as 
you mentioned.

3) ADRestore from SYSINTERNALS (or following the billion-step LDP.exe process 
in the MSKB) is fine for recovery of deleted objects.  Yes, the properties are 
gone.  Most of my clients do NOT use AD as the 'authoritative' company DB 
anyway -- they populate AD from an HR DB -- so that is not the end of the world.

4) Of course the worst deletion is a group object.  W2K3's new auth restore 
LDIF file is super cool.  Another client has a script that runs every night 
logging group memberships (for auditing and reporting) that will also be used 
for recovery of group objects using ADRestore, now.

5) rant PLEASE, MS, MAKE IT POSSIBLE TO DELEGATE MOVING OBJECTS WITHOUT 
REQUIRING DELETE PERMISSION.  In my experience, the need to move users and 
groups is the top driver for the need to delegate DELETE.  Most of my clients 
have pretty slick 'provisioning' for retiring then deleting users  groups, but 
they need to MOVE objects every day.  It really sucks that this task can't be 
separated from DELETE. Until then, it's pretty darned tough to fully delegate 
away the risk of object deletion.  /rant

Dan



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
Pinto
Sent: Sunday, May 22, 2005 5:41 AM
To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Hi,

In my opinion the following recovery situations exist when it comes to AD:
(1) Accidental object deletions
(2) Your forest/domain drops dead
(3) A DC drops dead

(1) Accidental object deletions
I agree with Joe that people should only have those permissions needed to do
their work and this should be configured accordingly. I also agree that not
too many people should have domain/enterprise admin permissions. However in
the real world this is not always possible because of lot of reasons
(history , politics, etc.) Organizations are not 100% perfect, that's a fact
also. Looking at the future and preparing for the worst, solutions are
implemented to mitigate those risks. Costs are made in advance to save time
and money in the future. It's somehow like an insurance policy. When
something goes wrong I have something to fall back on. I assume almost
everyone has an insurance policy for their house if it burns down. How many
times will you use that insurance policy in your lifetime? Never if you're
lucky... once if you're in bad luck... twice if you're in really bad luck!
In the case of accidental objects deletions customers need/want a solution!
What is that solution? Is it a lag site, is it a tool like Quest Recovery
Manager, is it a tool like Guido's tool, is it something else I/we still
don't know about? It all depends on the functionality needed by the customer
and the cost to implement and maintain the tool/solution.

In my opinion a LAG is one of those solutions for accidental object
deletions, as always and only when implemented correctly.

Joe (and others), you don't recommend setting up lag sites as there could be
a better answer. What is that better answer in your opinion? What would you
do if a customer said to you: I want to have ADMIN rights and I want to be
able to delete objects in my forest/domain and I want you to provide a
solution for me if I delete the wrong objects (The answer: take away admin
rights is not an option ;-)) ) What is your solution for accidental object
deletions? That is what I'm interested in.

In the end there is a big difference between being right and getting it!

(2) Your forest drops dead
I don't think LAG sites are a solution when your forest drops dead,
especially in a large environment. What's the primary goal to acchieve when
your forest drops dead (and what's the second?)? (please give me answers..)
When the forest drops dead, nobody can do anything anymore.
In my opinion the first goal to acchieve is to get everything up and running
as fast as possible and provide for the max. of functionality as possible to
the end users. In my opinion the second goal is to repair the health of the
forest and if it is really screwed rebuild it. So for this you need a
procedure that accomodates those situations.
I always hear everyone talk about a forest recovery as in rebuilding the
forest from scratch. Rebuilding a forest because it dropped

RE: [ActiveDir] AD DR - replication lag site----Why?

[joe]

1. I expect so. I also know of very large companies who have looked at and
rejected the idea. It comes down to the admins at the company and what
guidance they have received. I don't think there is anything saying the
mechanism isn't supported. In fact we have had at least one person on the
list say that MS PSS blessed their specific implementation in a
supportability review. I am sure there are others who have gone through
similar actions.

2. If this is done to bring back specific DCs in a forest instead of an
entire forest. I agree. In that case it isn't a viable option. I would smack
anyone thinking about doing it.

3. Admod works well for this as well. Note that what gets saved in the
tombstone process can to a great extend be controlled. Unless you are adding
and deleting objects like crazy, I highly recommend looking into x08.

4. Yes, this is easily covered though by setting up an AD/AM or even flat
files with the info. 

5. I would have to say I agree with this one in terms of allowing delegation
of move without delegating create/delete. However it is possible to work
around it as well now too. Don't let people move objects, proxy it through
some tool. Basic web sites to do this stuff aren't terribly difficult to put
together. It is difficult to put together a completely generic cover any
situation web site or tool but I don't know many companies that need that
tool. Vendors build tools like that so they are useable for many companies
and hence make more money. 

The benefits of doing this through proxy are the same for doing anything
through proxy. Business rules and logging. Things get done properly and you
know who did it and when. Of course AD Auditing is an answer but who here
doesn't think AD Auditing is rather fat and not optimal for doing its stated
purpose?

  joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Sunday, May 22, 2005 9:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

I think Jorge summarized the issue quite well, and pointed out some
important considerations.  I hope MS is paying attention to this thread b/c
there are some customer needs here that would be (I think) easy to address
in future releases.

1) I do know that there are some VERY large companies who are using or are
just about to start using lag sites.  They seem to them to be enough of a
viable option that hey're becoming more popular.  Hopefully MS *will* come
through with guidance so that lag sites can be a supported option for
recovery from accidental object deletion.

2) Virtualization rollback is a very sketchy option b/c of USN rollback as
you mentioned.

3) ADRestore from SYSINTERNALS (or following the billion-step LDP.exe
process in the MSKB) is fine for recovery of deleted objects.  Yes, the
properties are gone.  Most of my clients do NOT use AD as the
'authoritative' company DB anyway -- they populate AD from an HR DB -- so
that is not the end of the world.

4) Of course the worst deletion is a group object.  W2K3's new auth restore
LDIF file is super cool.  Another client has a script that runs every night
logging group memberships (for auditing and reporting) that will also be
used for recovery of group objects using ADRestore, now.

5) rant PLEASE, MS, MAKE IT POSSIBLE TO DELEGATE MOVING OBJECTS WITHOUT
REQUIRING DELETE PERMISSION.  In my experience, the need to move users and
groups is the top driver for the need to delegate DELETE.  Most of my
clients have pretty slick 'provisioning' for retiring then deleting users 
groups, but they need to MOVE objects every day.  It really sucks that this
task can't be separated from DELETE. Until then, it's pretty darned tough to
fully delegate away the risk of object deletion.  /rant

Dan



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Sunday, May 22, 2005 5:41 AM
To: 'joe '; '[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Hi,

In my opinion the following recovery situations exist when it comes to AD:
(1) Accidental object deletions
(2) Your forest/domain drops dead
(3) A DC drops dead

(1) Accidental object deletions
I agree with Joe that people should only have those permissions needed to do
their work and this should be configured accordingly. I also agree that not
too many people should have domain/enterprise admin permissions. However in
the real world this is not always possible because of lot of reasons
(history , politics, etc.) Organizations are not 100% perfect, that's a fact
also. Looking at the future and preparing for the worst, solutions are
implemented to mitigate those risks. Costs are made in advance to save time
and money in the future. It's somehow like an insurance policy. When
something goes wrong I have something to fall back on. I assume almost
everyone has an insurance policy

RE: [ActiveDir] AD DR - replication lag site----Why?

[Jorge de Almeida Pinto]

(1)
In the Netherlands when you own a car and you drive with it, by law you at
least must have a basic insurance that covers liability. This simply means
that when you cause damage with your car the other party gets paid to repair
their damage. You, however, have to pay for your own damage.
This is for those cases when most people cannot affort such high costs. This
also applies to situations in IT. You'll always have to answer: how much can
you affort when this or that occurs?

What I'm trying to say here is: you implement a certain solution to
accomodate those situations (in solving) when errors have been made by
persons. People simply make mistakes and I agree it is better to prevent
errors against repairing them. But again it is not always possible, because
it costs too much money, or they simply don't care or they are not aware of
the damage that can come from it, etc.. How many times have you heard it
will not happen to me, only to others
There are also a lot of people that only understand (or get interested in)
what you are trying to say/explain when they are in deep sh*t. But then...
it's too late and much more expensive solutions/activities must be used if
sometimes a solution exists for the occasion. 
It is always the choice between: trying to save money now and spend a crap
load later each time it happens or spend a little bit of money now and
spend less money later. I believe in spending money now to save later
(long-term thought). A lot of managers only think about spending as little
money as possible. Eventual problems in the future are not problems at the
moment (short term thought)

(2)
 When I say rollback, there is nothing left of the forest to get a USN 
rollback and no worries of TLS.

I understand that an old state of the virtual environment is only used when
ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some
of the activities mentioned in the MS DR WP are done like resetting all
kinds of accounts/trusts)
When I think about it now, you are right, I made a mistake, sorry for that.
Yes, when giving life to virtual DCs that belong to the same old state of
the virtual environment all those virtual DCs know about the state of the
other DCs in the virtual environment.
I do believe this solution provides a very fast recovery of the first DCs in
the forest to be rebuild.
With this solution and using the native way (restoring a backup) when the
tombstone lifetime has passed (the virtual environment state of the backups
used) you will experience event 2042 on all DCs (Event ID 2042: It has been
too long since this machine replicated)

After bringing the initial environment up you need to execute the steps as
mentioned in the MS DR white paper.
You especially need to think if everything really is down or the corrupt
forest is still up to provide functionalities for the users while restoring
a new forest in parallel.
And yes, there are a lot of decisions to be made and each IS different for
each company

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/22/2005 7:05 PM
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

1.

 I assume almost everyone has an insurance policy for their house if it
burns down.

In the US, you can't get a mortgage unless you get insurance. Ditto
cars,
loans require full coverage and local law enforcement requires some
minimal
level of insurance, you have no choice in the matter. A lot of people
buy
insurance not because they want it or would get it themselves, but
because
some requirement forces them to. Buying insurance is like enforced
gambling,
you are forced to pay to gamble that your house will burn down or you
will
crash your car. Insurance companies who set the prices and hence the
profit
are gambling you won't have an issue and have weighted the payoff
accordingly. If you ever take advantage of that insurance, you are
pretty
much guaranteed to see an increase in your rates at some future point
for
taking advantage. Of course you are also quite likely to get an increase
when Dean's house gets whacked by a hurricane as well. 

Insurance on cars and houses is not an optimal example. Maybe one that
is
closer would be the optional insurance you can get for car malfunctions
or
electronics or even MS Software... AKA service contracts. Mr. Jones you
should protect this TV because it could possibly fail in the next year
and
you don't want that expense Mr. Jones, you should protect this MS
environment because you may have something fail in the next year and you
don't want that expense. Of course, the first thing people start to
wonder at that point when hearing those pitches is why are there
warranties
at all... Again, it is gambling, only, unlike the insurance stuff
mentioned
above, you have a realistic choice with several options. 

 What is that better answer in your opinion? 

The better answer is to understand why this needs to be done and explain
how
you can get

RE: [ActiveDir] AD DR - replication lag site----Why?

[deji]

Joe, you pretty much agreed with the lag site proposition towards the end of
your piece. Whether you virtualize it, put it is a different physical
location or just put it on a piece of hardware sitting in the same server
room and configured with a different replication schedule, it all comes down
to the same necessity of having a pristine DC that has not received your
deletion and from which you can repopulate your F'ed up AD.
 
I know that you think deletion should not happen, but I have seen a few, so
they do happen in reality. We've been over the discussion of the politics
behind rights and permissions in many organizations and how they are what
they are because we can't control them. So, bad things happens. If you are
rolling in surplus money, you get a tool. If you are cash-strapped or like to
roll your own, you get a qtine (lag) site.
 
I do not think one is better than the other.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 5/20/2005 10:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?



I would tend to agree with what David is saying from what I have seen of lag
sites as well.

Not many people, relatively, doing it, those that are are likely to be doing
it in a rough shod way.

I am not a huge fan of lag sites. I think they are ok, but for instance
didn't think they deserved 3 or 4 different speakers talking about it at the
DEC in DC a couple of years ago.

I am far more interested in taking away the rights from people to do the
stupid deletions in the first place like was mentioned previously.
Seriously, I have done 0, count them, 0 restores of objects in production
and have been involved in some rather seriously sized implementations, 5
years of lead AD tech for a Fortune 5 directory. The lax decision of
accidental deletions happen is not a mentality I am like to subscribe to. If
someone deleted something, my feeling is, they knew what they were doing and
they were adequately aware of what they did.

First off, don't delete right off. Disable, rename, and move.

Second off, don't do admin through the GUI, too easy to click on an OU when
deleting than a single user.

Third off, don't let people have the power to delete things. Let them
request deletes of automated systems that are designed to follow good rules
so appear to be smarter than the admins.

There were mentions of supportability, etc. I would not be surprised to hear
MS say this is supported. Honestly, it isn't that whacky from a technical
standpoint. However, if someone has gone the supportability review process I
*HIGHLY* recommend they keep any and all docs with the names of the MS
people involved locked up and saved. I have had it occur more than once over
the years where I was told something was supported and fine and then several
years later have them looking at me saying they would never have approved
this or that. Some of the times I didn't have docs and was screwed as MS I
have found is fond of saying we don't have any documentation of that being
said or being done, other times I had docs and then I see PSS trying to
find reasons why they missed the issue or something else in the doc not
being followed that they try to imply makes the whole thing moot.
Unfortunately PSS will declare a lot of things as unsupportable even if they
have no good answer themselves, for instance, scripted GPO deployment
pre-GPMC. There were several years there that people were forced to come up
with their own mechanisms for scripted GPO deployment before GPMC was
released because the normal GUI just wouldn't cut it, they are all
unsupported by MS. Unfortunately companies won't tend to find out until they
contact MS about it or PSS stumbles upon it.

Back to lag sites, you, of course, have the possibilities of directory
corruption, etc where you lose the entire directory in one fell swoop. A lag
site could be used here but an auth restore is probably not going to be what
you need to save you, you need to rebuild everything. Personally over a lag
site I would use a site with a bunch of virtual DCs that you are taking down
together and backing up the disk images of and then if you need to roll
back, you pick the day or 4,6,8,12 hour period and roll back to it once
everything else has been taken offline and you build the rest of your
environment back out from this seed environment. This gives you the
additional benefit of having an environment you can take into a segregated
lab and test stuff any time you need to. It just needs to be done right or
you will have Brett snickering at you.

As I mentioned in an earlier post, if you are afraid of deleted objects, I
would recommend judicious use of searchflags0x08 and admod with the -undel
option

RE: [ActiveDir] AD DR - replication lag site----Why?

[David Adner]

I read Joe's comments as not creating a lag site per-se, but using virtual
DC's which are periodically saved (I'll refrain from saying backed up since
it's not a backup, as was recently discussed) in order to perform a
Forest-wide recovery.  I don't think he was referring to recovery of a few
deleted objects.

 Joe, you pretty much agreed with the lag site proposition 
 towards the end of your piece. Whether you virtualize it, put 
 it is a different physical location or just put it on a piece 
 of hardware sitting in the same server room and configured 
 with a different replication schedule, it all comes down to 
 the same necessity of having a pristine DC that has not 
 received your deletion and from which you can repopulate your 
 F'ed up AD.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site----Why?

[Rick Kingslan]

It was brought to my attention that I came off a bit strong (and that might
be mild...) in this message to Todd.  I've sent him a personal note of
apology, and I don't believe in tearing someone up in public and then
apologize in private.

 

Todd - I'm sorry for the way that I worded this message.  We have our own
ways of doing things, and that's what makes life interesting.  And, there
are a 100 ways of doing something, and I'm glad that we have the ability to
discuss these ways here, and debate them.  Sometimes with me, however,
personal bias goes a bit too far.

 

So, please accept my apologies.  I'm sorry for the 'tone' of my message.

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, May 20, 2005 3:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 

Todd,

With all due respect, I think there are more people doing this than you
think.  You aren't using a Lag Site, so it's 'whacky'.  Your opinion, so
you're entitled to it.

PSS blessed our implementation, BTW.  If you'd like, I'll be happy to
provide you with contacts for the ROSS tech (out of Los Colinas) that did
our recent AD Health check in advance of our Win2k3/E2k3 upgrade.  He stated
that this was becoming a cheap, scalable solution to providing DR - and a
few large organizations were using them at warm/hot sites because they also
meet criteria for DR as addressed and required for Sarbanes.

And, I don't question the fact that a poor site design can cause problems.
But, humbly, I submit that I know what I'm doing.  Learn from what I do - or
learn not.  That's up to you.  I know that you have a liking for Quest -
which is fine.  I use some of their tools - just not Recovery Manager.
However, in a DR situation when your DCs are being rebuilt from scratch -
Recovery Manager is not a very valuable tool when there are no objects to
'undelete'.

As for Guido - I hope he chimes in as well.  He seems to be one of the few
that you trust - regardless of those that have supported you in the past.
Hopefully then - we can put this behind us.  Me, I'll keep doing what has
been successful for me for two years, thank you.

-rtk

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, May 20, 2005 11:59 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 

I disagree that Lag sites are popular, maybe with you and at AD conferences
as a session.  I tend to avoid those sessions.  

 

To all those considering this as a viable solution, why not run it by MSC or
PSS and see what they say.  We get something called a supportability review
before we implement anything to whacky at my organization.  

 

There are so many things that can go wrong with a improper site design and
object reanimation that I just say avoid doing it.

 

I am waiting for Guido to chime in on this.

 

Todd

 

  _  

From: Dan Holme [mailto:[EMAIL PROTECTED]
Sent: Thu 5/19/2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Two more notes on this issue: 

1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
are so popular.  Yes, there are third party products (particularly Quest
Recovery Manager) that work quite well if you have a budget for that.
Here's my take as to why my IT budget shouldn't be spent on those tools (and
*should* be spent on OTHER tools by some of those same companies).

a) Deleted objects can be avoided with proper delegation.  It's so
important that you properly delegate and properly use accounts with
administrative logon (i.e. with 'secondary logon' only) that this trumps
just about everything.  At most of my clients, NOBODY (from a practical
perspective) can delete users or groups.  We have a process we call
graveyarding, whereby an account is tagged (using a variety of methods) and,
with a SCRIPT, moved to an OU where they stay for 90 days before being
deleted (again, only by the SCRIPT).  The only other accounts that can
delete users and groups are the super-high admins (e.g. Domain Admins
equivalents).  This is only a piece of the picture, but it is an important
piece.

b) Deleted objects can be restored for FREE using ADRESTORE from
Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
DN, CN) but that's all that really matters, right?  The best (FREE)
approaches we take at clients include *regularly* logging group memberships
in a custom database (to compare to last-knowns and watch for issues easily
and free-ly).  So when we restore a group we

RE: [ActiveDir] AD DR - replication lag site----Why?

[Myrick, Todd (NIH/CC/DNA)]

Title: RE: [ActiveDir] AD DR - replication lag siteWhy?





Thanks Rick,


I didn't think it to strong. And took no offense.


As most of you know, I am a buy guy.


When I reviewed AD back when, I new that we were in trouble if we had any accidents with administration. We allow for delegated administration with-in our AD design, so the only way to protect the directory and have a way to rapidly recover the object was to use a solution like Quest Recovery Manager. We have had quite a number of restores to fix issues. Could manage doing a recovery site to recovery an OU deletion, or

Going to Exchange 200x we knew the idea of having a recovery forest was not going to work in our operation... think of the number of production servers you have to patch. So we evaluated solutions that allowed object level restores on mailboxes as well.

When it comes to operations, I want fast and easily reproducable results. That means object restores and mailbox restores should take less than an hour. My old operations would take 8 hours to do a simple mailbox restore. And we have had situations with mis-configured ADC's killing objects in AD. So I am a big fan of technology that allows for rapid restore of information.

I think it is a sin that MS doesn't incorporate this with their AD and Exchange products. You can get into a lot of trouble if you don't have these types of tool if you aren't experienced IMHO. 

Todd 






-Original Message-
From: Rick Kingslan
To: ActiveDir@mail.activedir.org
Sent: 5/21/2005 12:17 PM
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?


It was brought to my attention that I came off a bit strong (and that
might be mild...) in this message to Todd. I've sent him a personal note
of apology, and I don't believe in tearing someone up in public and then
apologize in private.





Todd - I'm sorry for the way that I worded this message. We have our
own ways of doing things, and that's what makes life interesting. And,
there are a 100 ways of doing something, and I'm glad that we have the
ability to discuss these ways here, and debate them. Sometimes with me,
however, personal bias goes a bit too far.





So, please accept my apologies. I'm sorry for the 'tone' of my message.


Rick Kingslan MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food


 _ 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Rick Kingslan
Sent: Friday, May 20, 2005 3:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?





Todd,


With all due respect, I think there are more people doing this than you
think. You aren't using a Lag Site, so it's 'whacky'. Your opinion, so
you're entitled to it.


PSS blessed our implementation, BTW. If you'd like, I'll be happy to
provide you with contacts for the ROSS tech (out of Los Colinas) that
did our recent AD Health check in advance of our Win2k3/E2k3 upgrade.
He stated that this was becoming a cheap, scalable solution to providing
DR - and a few large organizations were using them at warm/hot sites
because they also meet criteria for DR as addressed and required for
Sarbanes.


And, I don't question the fact that a poor site design can cause
problems. But, humbly, I submit that I know what I'm doing. Learn from
what I do - or learn not. That's up to you. I know that you have a
liking for Quest - which is fine. I use some of their tools - just not
Recovery Manager. However, in a DR situation when your DCs are being
rebuilt from scratch - Recovery Manager is not a very valuable tool when
there are no objects to 'undelete'.


As for Guido - I hope he chimes in as well. He seems to be one of the
few that you trust - regardless of those that have supported you in the
past. Hopefully then - we can put this behind us. Me, I'll keep doing
what has been successful for me for two years, thank you.


-rtk





 _ 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, May 20, 2005 11:59 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?





I disagree that Lag sites are popular, maybe with you and at AD
conferences as a session. I tend to avoid those sessions. 





To all those considering this as a viable solution, why not run it by
MSC or PSS and see what they say. We get something called a
supportability review before we implement anything to whacky at my
organization. 





There are so many things that can go wrong with a improper site design
and object reanimation that I just say avoid doing it.





I am waiting for Guido to chime in on this.





Todd





 _ 


From: Dan Holme [mailto:[EMAIL PROTECTED]]
Sent: Thu 5/19/2005 10:16 AM
To: ActiveDir@mail.activedir.org

RE: [ActiveDir] AD DR - replication lag site----Why?

[Myrick, Todd (NIH/CC/DNA)]

Instead of Lag Site, we do have a site and domain dedicated to Root
operations.  I think of this as the Quarterback strategy.  Don't let it get
sacked.

We have two DC's dedicated to Root AD functions in their own namespace. The
Enterpise functions are  Schema extension, forest Security operations, and
DR.

Since AD's take their namespace from the root of the directory, it is
important to be able to recover this domain.  So our DR process allows us to
do Bare metal restore if nessesary.  I do think it could be improved by
doing P to V backups of these servers as an alternative.

Todd 

-Original Message-
From: David Adner
To: ActiveDir@mail.activedir.org
Sent: 5/21/2005 5:08 AM
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

I read Joe's comments as not creating a lag site per-se, but using
virtual
DC's which are periodically saved (I'll refrain from saying backed up
since
it's not a backup, as was recently discussed) in order to perform a
Forest-wide recovery.  I don't think he was referring to recovery of a
few
deleted objects.

 Joe, you pretty much agreed with the lag site proposition 
 towards the end of your piece. Whether you virtualize it, put 
 it is a different physical location or just put it on a piece 
 of hardware sitting in the same server room and configured 
 with a different replication schedule, it all comes down to 
 the same necessity of having a pristine DC that has not 
 received your deletion and from which you can repopulate your 
 F'ed up AD.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site----Why?

[joe]

Reread it Deji, I really am not agreeing with it. I noted that it might be
something that could be used for whole forest corruption but I would way
prefer a virtualized environment that can be rolled back to any point in
time over a site lagging behind the main AD in *hopes* that it didn't get
poisoned. 

To make it more obvious I guess, I don't recommend lag sites. However, I
don't recommend people tear them down if they have them. Mostly I don't
recommend setting them up in the first place unless they are fully aware of
why they are doing it and why they think there is no better answer.
Technology doesn't often successfully make up for bad policy.

What I recommend is that they batton down the hatches even if they think
they can't because it is has always been this way or because some Exec who
needs to be taught better thinks L1 Help Desk should be able to delete
things in an unhindered unconfirmed way, etc. I recommend they use x08 and
admod, I recommend they talk to Guido about a product he has put together to
recover stuff which combines undelete with repopulate. Mostly I recommend
not allowing accident prone folks to have the power to piss in your
wheaties. I have never had a case where I didn't take away permissions for
other people to do things and my life not get easier and the environment get
more stable and secure. I don't know how many times I have heard, but I
can't do my job without those god level rights and sure enough, without
those god level rights, they can still do their job. The difficult here is
convincing the right people that this is the right way to go and is often
defeated when the people pushing for the lockdown can't argue the technical
merits or can't come up with answers for questions on how to do the work in
alternate ways. That is tough work, I know, I spent many hours working
through those issues myself. More than once I took work home with me and
cracked open MSDN trying to find a better safer way for a developer to do
something. If I couldn't find an alternate method, I built some sort of
delegation tool to do the work on their behalf or stepped up to the plate
and said I would do that work when they requested it (and then worked like
heck to find a better way). I much rather sign up for a lot of work than
give out too much permissions even for a short period of time. Not giving
rights is much easier than taking them back later. 

Back to lag sites, if someone has a lag site and they like it and find it
useful, I am behind their use of it. Of course my question to them if I was
payed to look at their environment and comment on that aspect of it is Why
do you feel you need it?. Is this something you find yourself using a lot?
Do you have any thoughts that possibly this is indicative of some other type
of issue that could be prevented versus reacted to? 

The Microsoft world has yet to really learn from the mainframe world. Maybe
because it is old, people think it isn't good. The mainframe model is quite
locked down. You don't give a ton of people rights, people have what they
need to do their exact job and even that goes through a ton of
filters/processes/batch, rarely if ever does anyone get core level change
access rights that isn't thrown through rules and logging. Why? Because it
is bad to allow just any old changes. Nearly any change in the mainframe
world is change controlled to within an inch of its life. I think this is
good for MS tech as well. It will get there as we mature, we see it
happening now. Having lots of people that can make changes ad hoc does not
increase flexibility and mobility of a company, if anything, in my opionion,
it makes support more costly for a company by making the environment more
difficult to support and understand. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, May 21, 2005 3:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Joe, you pretty much agreed with the lag site proposition towards the end of
your piece. Whether you virtualize it, put it is a different physical
location or just put it on a piece of hardware sitting in the same server
room and configured with a different replication schedule, it all comes down
to the same necessity of having a pristine DC that has not received your
deletion and from which you can repopulate your F'ed up AD.
 
I know that you think deletion should not happen, but I have seen a few, so
they do happen in reality. We've been over the discussion of the politics
behind rights and permissions in many organizations and how they are what
they are because we can't control them. So, bad things happens. If you are
rolling in surplus money, you get a tool. If you are cash-strapped or like
to roll your own, you get a qtine (lag) site.
 
I do not think one is better than the other.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services

RE: [ActiveDir] AD DR - replication lag site----Why?

[joe]

Correct. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Saturday, May 21, 2005 5:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

I read Joe's comments as not creating a lag site per-se, but using virtual
DC's which are periodically saved (I'll refrain from saying backed up since
it's not a backup, as was recently discussed) in order to perform a
Forest-wide recovery.  I don't think he was referring to recovery of a few
deleted objects.

 Joe, you pretty much agreed with the lag site proposition towards the 
 end of your piece. Whether you virtualize it, put it is a different 
 physical location or just put it on a piece of hardware sitting in the 
 same server room and configured with a different replication schedule, 
 it all comes down to the same necessity of having a pristine DC that 
 has not received your deletion and from which you can repopulate your 
 F'ed up AD.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site----Why?

[Jorge de Almeida Pinto]

You are correct there are free tools to do a restore of objects. There is
one problem though with deleting and reanimating objects. When an object is
deleted almost all info is stripped from it besides some important
attributes (SID, GUID, etc) If you reanimate the object you'll get a
stripped object and all other info (attributes) is NOT restored because it
is not available anymore. That is where the third-party tools and the LAG
site come in... Preserving a copy of the object and all of its info
(attributes)

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Thursday, May 19, 2005 16:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Two more notes on this issue:

1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
are so popular.  Yes, there are third party products (particularly Quest
Recovery Manager) that work quite well if you have a budget for that.
Here's my take as to why my IT budget shouldn't be spent on those tools (and
*should* be spent on OTHER tools by some of those same companies).
a) Deleted objects can be avoided with proper delegation.  It's so
important that you properly delegate and properly use accounts with
administrative logon (i.e. with 'secondary logon' only) that this trumps
just about everything.  At most of my clients, NOBODY (from a practical
perspective) can delete users or groups.  We have a process we call
graveyarding, whereby an account is tagged (using a variety of methods) and,
with a SCRIPT, moved to an OU where they stay for 90 days before being
deleted (again, only by the SCRIPT).  The only other accounts that can
delete users and groups are the super-high admins (e.g. Domain Admins
equivalents).  This is only a piece of the picture, but it is an important
piece.
b) Deleted objects can be restored for FREE using ADRESTORE from
Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
DN, CN) but that's all that really matters, right?  The best (FREE)
approaches we take at clients include *regularly* logging group memberships
in a custom database (to compare to last-knowns and watch for issues easily
and free-ly).  So when we restore a group we can repopulate membership
quickly, anyway.  So with good processes, it's FREE and easy to restore
objects in most situations.
c) Windows Server 2003 SP1 adds a feature that makes reanimating
Groups MUCH easier when you have deleted groups  users.  No more auth
restore two times necessary. (Haven't seen it?  Do an auth restore on a
group on an SP1 DC and find the LDIF file it creates!!)
d) that leaves only really nasty deletions (e.g. an entire OU),
which, given a  b, will probably never happen.  And when they do, an auth
restore on a lag site takes a very short time.
e) therefore, I save my IT budget and use the $ on tools to aid
provisioning, auditing  monitoring, again to avoid problems in the first
place.

2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've
heard of, and that we're testing, is to stop the NetLogon service on the lag
DCs.  There are several ways to avoid it restarting when/if the DC is
rebooted.  The article referenced in the ORIGINAL post suggested modifying
which SRV records are registered.  This should work, I'd guess, and is more
elegant.  The trick is that SRV records are not registered.  The A records
still are, so DCs should be able to find each other and replicate
successfully, but clients won't 'see' the DCs as a viable authentication
option.  I've not tried that approach but it sounded really good.

3) OK, three notes.  LAG SITES can be done with DCs in a site with a long
replication interval, or by changing the replication WINDOW (schedule).
It's a good idea to have TWO lag sites on alternating frequencies, to avoid
a situation where something awful happens just before a lag site happens to
replicate.  Someone detailed this earlier, and it's a good note!

Dan
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Thursday, May 19, 2005 6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the
process of restoring objects into a 15 minute click click operation.  I
would hate to think of the number of steps you all must do to reanimate the
object in a directory using the Recovery Site.

From a operations standpoint, there is no substitute for a proper 
backup
solution and object level restore utility for AD.

Thanks,

Todd Myrick

-Original Message-
From: TIROA YANN [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 4:20 AM
To: ActiveDir

RE: [ActiveDir] AD DR - replication lag site----Why not?

[Myrick, Todd (NIH/CC/DNA)]

Disagree Rick,
 
MS changed the verbiage in the Q article to say they would support it.  I
think it was when Stewart and I got into it a little here that caused them
to rethink the Q article... but I don't want to take the credit.
 
Todd
 
 
 

  _  

From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Thu 5/19/2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not?



Todd - 

I personally don't have a problem with Recovery Manager. 

That being said - Last I checked, Microsoft still didn't allow it as a 
SUPPORTABLE solution for the purpose under discussion. 

With our company being an Enterprise Agreement customer with a PSS agreement

scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I 
can't allow anything into the environment that would put us at risk. 

Besides, being an EA customer has the benefit of the solution that I 
proposed being pretty low-cost, given the overall benefits.  And, I don't 
find NTDSUTIL overly difficult or intensive to use. 

But, that's just me. 

-rtk 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd 
(NIH/CC/DNA) 
Sent: Thursday, May 19, 2005 8:34 AM 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? 

Is it cheaper and more efficient to go the replication lag site route than 
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the 
process of restoring objects into a 15 minute click click operation.  I 
would hate to think of the number of steps you all must do to reanimate the 
object in a directory using the Recovery Site. 

From a operations standpoint, there is no substitute for a proper backup 
solution and object level restore utility for AD. 

Thanks, 

Todd Myrick 

-Original Message- 
From: TIROA YANN [mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] 
Sent: Thursday, May 19, 2005 4:20 AM 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag site 

Neil, 

I now understand... I'm a new man by now thanks to the mysterious lag site 
that have been revealed to me :-)) 

Thanks a lot for your explanations. 

Cordialement, 

Yann TIROA 

Centre de Ressources Informatique. 
Campus Scientifique de la DOUA. 
Bât. Gabriel Lippmann - 2 ème étage - salle 238. 
43, Bd du 11 Novembre 1918. 
69622 Villeurbanne Cedex. 



-Message d'origine- 
De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] De la part de Ruston, Neil 
Envoyé : jeudi 19 mai 2005 10:09 
À : 'ActiveDir@mail.activedir.org' 
Objet : RE: [ActiveDir] AD DR - replication lag site 

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not 
receive the deletion immediately. You therefore have a window of opportunity

in which the deletion may be 'undone'. 

The deleted object may be auth restored on DC2 and thus replicated / 
reanimated on DC1 (and any other DC which has received the deletion). 

[My terminology may not be acceptable to some - I have deliberately 
explained this in simplistic terms :)] 

neil 


-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of TIROA YANN 
Sent: 19 May 2005 08:54 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag site 


Hello, 

I must apologize, but i'm a little bit confused. You said With a lag site, 
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an 
autoritative restore, not on site A, BUT on DC on lag site, reboot, and 
dforce replication to site A ? And the non-autoritative restore will be in 
fact the data on the lag site, that explain your prévious sentence ? Waou! 
That's very celver !! 

Am I right ? 

Regards, 

Yann 



-Message d'origine- 
De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] De la part de Dan Holme Envoyé
: 
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: 
[ActiveDir] AD DR - replication lag site 

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to

do an authoritative restore (NTDSUTIL). 

Without a lag site, you must first restore the AD from backup tape ('normal'

restore), which can take quite some time Then, and only then, can you do

the auth restore. 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of TIROA YANN 
Sent: Wednesday, May 18, 2005 11:46 PM 
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag site 

Hello, 

Thanks for this interesting tips, but i didn't really understand the behind

the techno  of a lag site in case of just a deletion of an entire OU with 
many objects. 

For example,if I

RE: [ActiveDir] AD DR - replication lag site----Why?

[Myrick, Todd (NIH/CC/DNA)]

I disagree that Lag sites are popular, maybe with you and at AD conferences
as a session.  I tend to avoid those sessions.  
 
To all those considering this as a viable solution, why not run it by MSC or
PSS and see what they say.  We get something called a supportability review
before we implement anything to whacky at my organization.  
 
There are so many things that can go wrong with a improper site design and
object reanimation that I just say avoid doing it.
 
I am waiting for Guido to chime in on this.
 
Todd

  _  

From: Dan Holme [mailto:[EMAIL PROTECTED]
Sent: Thu 5/19/2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?



Two more notes on this issue: 

1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
are so popular.  Yes, there are third party products (particularly Quest
Recovery Manager) that work quite well if you have a budget for that.
Here's my take as to why my IT budget shouldn't be spent on those tools (and
*should* be spent on OTHER tools by some of those same companies).

a) Deleted objects can be avoided with proper delegation.  It's so
important that you properly delegate and properly use accounts with
administrative logon (i.e. with 'secondary logon' only) that this trumps
just about everything.  At most of my clients, NOBODY (from a practical
perspective) can delete users or groups.  We have a process we call
graveyarding, whereby an account is tagged (using a variety of methods) and,
with a SCRIPT, moved to an OU where they stay for 90 days before being
deleted (again, only by the SCRIPT).  The only other accounts that can
delete users and groups are the super-high admins (e.g. Domain Admins
equivalents).  This is only a piece of the picture, but it is an important
piece.

b) Deleted objects can be restored for FREE using ADRESTORE from
Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
DN, CN) but that's all that really matters, right?  The best (FREE)
approaches we take at clients include *regularly* logging group memberships
in a custom database (to compare to last-knowns and watch for issues easily
and free-ly).  So when we restore a group we can repopulate membership
quickly, anyway.  So with good processes, it's FREE and easy to restore
objects in most situations.

c) Windows Server 2003 SP1 adds a feature that makes reanimating
Groups MUCH easier when you have deleted groups  users.  No more auth
restore two times necessary. (Haven't seen it?  Do an auth restore on a
group on an SP1 DC and find the LDIF file it creates!!)

d) that leaves only really nasty deletions (e.g. an entire OU),
which, given a  b, will probably never happen.  And when they do, an auth
restore on a lag site takes a very short time.

e) therefore, I save my IT budget and use the $ on tools to aid
provisioning, auditing  monitoring, again to avoid problems in the first
place.

2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've
heard of, and that we're testing, is to stop the NetLogon service on the lag
DCs.  There are several ways to avoid it restarting when/if the DC is
rebooted.  The article referenced in the ORIGINAL post suggested modifying
which SRV records are registered.  This should work, I'd guess, and is more
elegant.  The trick is that SRV records are not registered.  The A records
still are, so DCs should be able to find each other and replicate
successfully, but clients won't 'see' the DCs as a viable authentication
option.  I've not tried that approach but it sounded really good.

3) OK, three notes.  LAG SITES can be done with DCs in a site with a long
replication interval, or by changing the replication WINDOW (schedule).
It's a good idea to have TWO lag sites on alternating frequencies, to avoid
a situation where something awful happens just before a lag site happens to
replicate.  Someone detailed this earlier, and it's a good note!

Dan 
  


-Original Message- 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd
(NIH/CC/DNA)

Sent: Thursday, May 19, 2005 6:34 AM 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? 

Is it cheaper and more efficient to go the replication lag site route than 
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the 
process of restoring objects into a 15 minute click click operation.  I 
would hate to think of the number of steps you all must do to reanimate the 
object in a directory using the Recovery Site. 

From a operations standpoint, there is no substitute for a proper backup 
solution and object level restore utility for AD. 

Thanks, 

Todd Myrick 

-Original Message- 
From: TIROA YANN [mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] 
Sent: Thursday, May 19, 2005 4:20 AM

Re: [ActiveDir] AD DR - replication lag site----Why?

[A P]

My 2 cents... Implementation of lag sites is a solution that was
recommended to us by our MS Advisory Support Engineer.  From what we
have been told, MS is writing a whitepaper on implementing lag sites. 
Not sure when that would be officially released.

Arden

On 5/20/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote:
 I disagree that Lag sites are popular, maybe with you and at AD conferences
 as a session.  I tend to avoid those sessions.
 
 To all those considering this as a viable solution, why not run it by MSC or
 PSS and see what they say.  We get something called a supportability review
 before we implement anything to whacky at my organization.
 
 There are so many things that can go wrong with a improper site design and
 object reanimation that I just say avoid doing it.
 
 I am waiting for Guido to chime in on this.
 
 Todd
 
  _
 
 From: Dan Holme [mailto:[EMAIL PROTECTED]
 Sent: Thu 5/19/2005 10:16 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
 
 
 Two more notes on this issue:
 
 1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
 are so popular.  Yes, there are third party products (particularly Quest
 Recovery Manager) that work quite well if you have a budget for that.
 Here's my take as to why my IT budget shouldn't be spent on those tools (and
 *should* be spent on OTHER tools by some of those same companies).
 
a) Deleted objects can be avoided with proper delegation.  It's so
 important that you properly delegate and properly use accounts with
 administrative logon (i.e. with 'secondary logon' only) that this trumps
 just about everything.  At most of my clients, NOBODY (from a practical
 perspective) can delete users or groups.  We have a process we call
 graveyarding, whereby an account is tagged (using a variety of methods) and,
 with a SCRIPT, moved to an OU where they stay for 90 days before being
 deleted (again, only by the SCRIPT).  The only other accounts that can
 delete users and groups are the super-high admins (e.g. Domain Admins
 equivalents).  This is only a piece of the picture, but it is an important
 piece.
 
b) Deleted objects can be restored for FREE using ADRESTORE from
 Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
 DN, CN) but that's all that really matters, right?  The best (FREE)
 approaches we take at clients include *regularly* logging group memberships
 in a custom database (to compare to last-knowns and watch for issues easily
 and free-ly).  So when we restore a group we can repopulate membership
 quickly, anyway.  So with good processes, it's FREE and easy to restore
 objects in most situations.
 
c) Windows Server 2003 SP1 adds a feature that makes reanimating
 Groups MUCH easier when you have deleted groups  users.  No more auth
 restore two times necessary. (Haven't seen it?  Do an auth restore on a
 group on an SP1 DC and find the LDIF file it creates!!)
 
d) that leaves only really nasty deletions (e.g. an entire OU),
 which, given a  b, will probably never happen.  And when they do, an auth
 restore on a lag site takes a very short time.
 
e) therefore, I save my IT budget and use the $ on tools to aid
 provisioning, auditing  monitoring, again to avoid problems in the first
 place.
 
 2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've
 heard of, and that we're testing, is to stop the NetLogon service on the lag
 DCs.  There are several ways to avoid it restarting when/if the DC is
 rebooted.  The article referenced in the ORIGINAL post suggested modifying
 which SRV records are registered.  This should work, I'd guess, and is more
 elegant.  The trick is that SRV records are not registered.  The A records
 still are, so DCs should be able to find each other and replicate
 successfully, but clients won't 'see' the DCs as a viable authentication
 option.  I've not tried that approach but it sounded really good.
 
 3) OK, three notes.  LAG SITES can be done with DCs in a site with a long
 replication interval, or by changing the replication WINDOW (schedule).
 It's a good idea to have TWO lag sites on alternating frequencies, to avoid
 a situation where something awful happens just before a lag site happens to
 replicate.  Someone detailed this earlier, and it's a good note!
 
 Dan
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd
 (NIH/CC/DNA)
 
 Sent: Thursday, May 19, 2005 6:34 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
 Is it cheaper and more efficient to go the replication lag site route than
 buy a proper backup and object level restore solution?
 
 I mean not to toot a vendor's horn, but Quest recovery manager turns the
 process of restoring objects into a 15 minute click click operation.  I
 would hate to think

RE: [ActiveDir] AD DR - replication lag site----Why not?

[Rick Kingslan]

Well - then I guess that I don't have a problem with Recovery Manager
anymore then.  :o)

 

(Cost, however might be an issue...  Don't know - never priced it because of
concern stated Now mitigated)

 

But, I'm not likely to retire my Lag Site, nonetheless!  Don't want to fix
what's not broke, Todd.

 

Rick Kingslan  MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Windows Security (Affiliate)
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, May 20, 2005 11:51 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not?

 

Disagree Rick,

 

MS changed the verbiage in the Q article to say they would support it.  I
think it was when Stewart and I got into it a little here that caused them
to rethink the Q article... but I don't want to take the credit.

 

Todd

 

 

 

 

  _  

From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Thu 5/19/2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not?

Todd - 

I personally don't have a problem with Recovery Manager. 

That being said - Last I checked, Microsoft still didn't allow it as a 
SUPPORTABLE solution for the purpose under discussion. 

With our company being an Enterprise Agreement customer with a PSS agreement

scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I 
can't allow anything into the environment that would put us at risk. 

Besides, being an EA customer has the benefit of the solution that I 
proposed being pretty low-cost, given the overall benefits.  And, I don't 
find NTDSUTIL overly difficult or intensive to use. 

But, that's just me. 

-rtk 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DNA) 
Sent: Thursday, May 19, 2005 8:34 AM 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? 

Is it cheaper and more efficient to go the replication lag site route than 
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the 
process of restoring objects into a 15 minute click click operation.  I 
would hate to think of the number of steps you all must do to reanimate the 
object in a directory using the Recovery Site. 

From a operations standpoint, there is no substitute for a proper backup 
solution and object level restore utility for AD. 

Thanks, 

Todd Myrick 

-Original Message- 
From: TIROA YANN [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 19, 2005 4:20 AM 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag site 

Neil, 

I now understand... I'm a new man by now thanks to the mysterious lag site 
that have been revealed to me :-)) 

Thanks a lot for your explanations. 

Cordialement, 

Yann TIROA 

Centre de Ressources Informatique. 
Campus Scientifique de la DOUA. 
Bât. Gabriel Lippmann - 2 ème étage - salle 238. 
43, Bd du 11 Novembre 1918. 
69622 Villeurbanne Cedex. 

 

-Message d'origine- 
De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de Ruston, Neil 
Envoyé : jeudi 19 mai 2005 10:09 
À : 'ActiveDir@mail.activedir.org' 
Objet : RE: [ActiveDir] AD DR - replication lag site 

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not 
receive the deletion immediately. You therefore have a window of opportunity

in which the deletion may be 'undone'. 

The deleted object may be auth restored on DC2 and thus replicated / 
reanimated on DC1 (and any other DC which has received the deletion). 

[My terminology may not be acceptable to some - I have deliberately 
explained this in simplistic terms :)] 

neil 

 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN 
Sent: 19 May 2005 08:54 
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] AD DR - replication lag site 

 

Hello, 

I must apologize, but i'm a little bit confused. You said With a lag site, 
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an 
autoritative restore, not on site A, BUT on DC on lag site, reboot, and 
dforce replication to site A ? And the non-autoritative restore will be in 
fact the data on the lag site, that explain your prévious sentence ? Waou! 
That's very celver !! 

Am I right ? 

Regards, 

Yann 

 

-Message d'origine- 
De : [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :

jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: 
[ActiveDir] AD DR - replication lag site 

The major issue is the SPEED of recovery

RE: [ActiveDir] AD DR - replication lag site----Why?

[Rick Kingslan]

Todd,

With all due respect, I think there are more people doing this than you
think.  You aren't using a Lag Site, so it's 'whacky'.  Your opinion, so
you're entitled to it.

PSS blessed our implementation, BTW.  If you'd like, I'll be happy to
provide you with contacts for the ROSS tech (out of Los Colinas) that did
our recent AD Health check in advance of our Win2k3/E2k3 upgrade.  He stated
that this was becoming a cheap, scalable solution to providing DR - and a
few large organizations were using them at warm/hot sites because they also
meet criteria for DR as addressed and required for Sarbanes.

And, I don't question the fact that a poor site design can cause problems.
But, humbly, I submit that I know what I'm doing.  Learn from what I do - or
learn not.  That's up to you.  I know that you have a liking for Quest -
which is fine.  I use some of their tools - just not Recovery Manager.
However, in a DR situation when your DCs are being rebuilt from scratch -
Recovery Manager is not a very valuable tool when there are no objects to
'undelete'.

As for Guido - I hope he chimes in as well.  He seems to be one of the few
that you trust - regardless of those that have supported you in the past.
Hopefully then - we can put this behind us.  Me, I'll keep doing what has
been successful for me for two years, thank you.

-rtk

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, May 20, 2005 11:59 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

 

I disagree that Lag sites are popular, maybe with you and at AD conferences
as a session.  I tend to avoid those sessions.  

 

To all those considering this as a viable solution, why not run it by MSC or
PSS and see what they say.  We get something called a supportability review
before we implement anything to whacky at my organization.  

 

There are so many things that can go wrong with a improper site design and
object reanimation that I just say avoid doing it.

 

I am waiting for Guido to chime in on this.

 

Todd

 

  _  

From: Dan Holme [mailto:[EMAIL PROTECTED]
Sent: Thu 5/19/2005 10:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Two more notes on this issue: 

1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
are so popular.  Yes, there are third party products (particularly Quest
Recovery Manager) that work quite well if you have a budget for that.
Here's my take as to why my IT budget shouldn't be spent on those tools (and
*should* be spent on OTHER tools by some of those same companies).

a) Deleted objects can be avoided with proper delegation.  It's so
important that you properly delegate and properly use accounts with
administrative logon (i.e. with 'secondary logon' only) that this trumps
just about everything.  At most of my clients, NOBODY (from a practical
perspective) can delete users or groups.  We have a process we call
graveyarding, whereby an account is tagged (using a variety of methods) and,
with a SCRIPT, moved to an OU where they stay for 90 days before being
deleted (again, only by the SCRIPT).  The only other accounts that can
delete users and groups are the super-high admins (e.g. Domain Admins
equivalents).  This is only a piece of the picture, but it is an important
piece.

b) Deleted objects can be restored for FREE using ADRESTORE from
Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
DN, CN) but that's all that really matters, right?  The best (FREE)
approaches we take at clients include *regularly* logging group memberships
in a custom database (to compare to last-knowns and watch for issues easily
and free-ly).  So when we restore a group we can repopulate membership
quickly, anyway.  So with good processes, it's FREE and easy to restore
objects in most situations.

c) Windows Server 2003 SP1 adds a feature that makes reanimating
Groups MUCH easier when you have deleted groups  users.  No more auth
restore two times necessary. (Haven't seen it?  Do an auth restore on a
group on an SP1 DC and find the LDIF file it creates!!)

d) that leaves only really nasty deletions (e.g. an entire OU),
which, given a  b, will probably never happen.  And when they do, an auth
restore on a lag site takes a very short time.

e) therefore, I save my IT budget and use the $ on tools to aid
provisioning, auditing  monitoring, again to avoid problems in the first
place.

2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've
heard of, and that we're testing, is to stop the NetLogon service on the lag
DCs.  There are several ways to avoid it restarting when/if the DC is
rebooted.  The article referenced in the ORIGINAL post suggested modifying
which SRV records are registered.  This should work, I'd guess, and is more
elegant

RE: [ActiveDir] AD DR - replication lag site----Why?

[Rick Kingslan]

Arden,

Validation - I'm not the only one that MS is telling that 'whacky' things are a 
good thing.

-rtk

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of A P
Sent: Friday, May 20, 2005 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD DR - replication lag siteWhy?

My 2 cents... Implementation of lag sites is a solution that was
recommended to us by our MS Advisory Support Engineer.  From what we
have been told, MS is writing a whitepaper on implementing lag sites. 
Not sure when that would be officially released.

Arden

On 5/20/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote:
 I disagree that Lag sites are popular, maybe with you and at AD conferences
 as a session.  I tend to avoid those sessions.
 
 To all those considering this as a viable solution, why not run it by MSC or
 PSS and see what they say.  We get something called a supportability review
 before we implement anything to whacky at my organization.
 
 There are so many things that can go wrong with a improper site design and
 object reanimation that I just say avoid doing it.
 
 I am waiting for Guido to chime in on this.
 
 Todd
 
  _
 
 From: Dan Holme [mailto:[EMAIL PROTECTED]
 Sent: Thu 5/19/2005 10:16 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
 
 
 Two more notes on this issue:
 
 1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
 are so popular.  Yes, there are third party products (particularly Quest
 Recovery Manager) that work quite well if you have a budget for that.
 Here's my take as to why my IT budget shouldn't be spent on those tools (and
 *should* be spent on OTHER tools by some of those same companies).
 
a) Deleted objects can be avoided with proper delegation.  It's so
 important that you properly delegate and properly use accounts with
 administrative logon (i.e. with 'secondary logon' only) that this trumps
 just about everything.  At most of my clients, NOBODY (from a practical
 perspective) can delete users or groups.  We have a process we call
 graveyarding, whereby an account is tagged (using a variety of methods) and,
 with a SCRIPT, moved to an OU where they stay for 90 days before being
 deleted (again, only by the SCRIPT).  The only other accounts that can
 delete users and groups are the super-high admins (e.g. Domain Admins
 equivalents).  This is only a piece of the picture, but it is an important
 piece.
 
b) Deleted objects can be restored for FREE using ADRESTORE from
 Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
 DN, CN) but that's all that really matters, right?  The best (FREE)
 approaches we take at clients include *regularly* logging group memberships
 in a custom database (to compare to last-knowns and watch for issues easily
 and free-ly).  So when we restore a group we can repopulate membership
 quickly, anyway.  So with good processes, it's FREE and easy to restore
 objects in most situations.
 
c) Windows Server 2003 SP1 adds a feature that makes reanimating
 Groups MUCH easier when you have deleted groups  users.  No more auth
 restore two times necessary. (Haven't seen it?  Do an auth restore on a
 group on an SP1 DC and find the LDIF file it creates!!)
 
d) that leaves only really nasty deletions (e.g. an entire OU),
 which, given a  b, will probably never happen.  And when they do, an auth
 restore on a lag site takes a very short time.
 
e) therefore, I save my IT budget and use the $ on tools to aid
 provisioning, auditing  monitoring, again to avoid problems in the first
 place.
 
 2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've
 heard of, and that we're testing, is to stop the NetLogon service on the lag
 DCs.  There are several ways to avoid it restarting when/if the DC is
 rebooted.  The article referenced in the ORIGINAL post suggested modifying
 which SRV records are registered.  This should work, I'd guess, and is more
 elegant.  The trick is that SRV records are not registered.  The A records
 still are, so DCs should be able to find each other and replicate
 successfully, but clients won't 'see' the DCs as a viable authentication
 option.  I've not tried that approach but it sounded really good.
 
 3) OK, three notes.  LAG SITES can be done with DCs in a site with a long
 replication interval, or by changing the replication WINDOW (schedule).
 It's a good idea to have TWO lag sites on alternating frequencies, to avoid
 a situation where something awful happens just before a lag site happens to
 replicate.  Someone detailed this earlier, and it's a good note!
 
 Dan
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd
 (NIH/CC/DNA)
 
 Sent: Thursday, May 19, 2005 6:34 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR

RE: [ActiveDir] AD DR - replication lag site----Why?

[David Adner]

Using my non-scientific personal observations, of the last 50 or so
customers I've been to I believe only 3 had lag sites.  Of those 3, none had
done what I'd call a good job of setting it up (they had basically just
created a separate site with a longer replication interval).  Of the other
~47, perhaps half knew of lag sites and were either interested in the
concept or had plans to implement them.  How many actually will I can't say.
These are all Premier customers.

So, based on my personal experience, I'm more inclined to agree with Todd.
I think, however, that over the next couple years lag sites will become the
norm as virtualization becomes commonplace and best practices are better
documented and understood.

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Friday, May 20, 2005 15:49
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
 Todd,
 
 With all due respect, I think there are more people doing 
 this than you think.  You aren’t using a Lag Site, so it’s 
 ‘whacky’.  Your opinion, so you’re entitled to it.
 
 PSS blessed our implementation, BTW.  If you’d like, I’ll be 
 happy to provide you with contacts for the ROSS tech (out of 
 Los Colinas) that did our recent AD Health check in advance 
 of our Win2k3/E2k3 upgrade.  He stated that this was becoming 
 a cheap, scalable solution to providing DR – and a few large 
 organizations were using them at warm/hot sites because they 
 also meet criteria for DR as addressed and required for Sarbanes.
 
 And, I don’t question the fact that a poor site design can 
 cause problems.  But, humbly, I submit that I know what I’m 
 doing.  Learn from what I do – or learn not.  That’s up to 
 you.  I know that you have a liking for Quest – which is 
 fine.  I use some of their tools – just not Recovery Manager. 
  However, in a DR situation when your DCs are being rebuilt 
 from scratch – Recovery Manager is not a very valuable tool 
 when there are no objects to ‘undelete’.
 
 As for Guido – I hope he chimes in as well.  He seems to be 
 one of the few that you trust – regardless of those that have 
 supported you in the past.  Hopefully then – we can put this 
 behind us.  Me, I’ll keep doing what has been successful for 
 me for two years, thank you.
 
 -rtk
 
  
 
 
 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Myrick, Todd (NIH/CC/DNA)
 Sent: Friday, May 20, 2005 11:59 AM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
  
 
 I disagree that Lag sites are popular, maybe with you and at 
 AD conferences as a session.  I tend to avoid those sessions.  
 
  
 
 To all those considering this as a viable solution, why not 
 run it by MSC or PSS and see what they say.  We get something 
 called a supportability review before we implement anything 
 to whacky at my organization.  
 
  
 
 There are so many things that can go wrong with a improper 
 site design and object reanimation that I just say avoid doing it.
 
  
 
 I am waiting for Guido to chime in on this.
 
  
 
 Todd
 
  
 
 
 
 From: Dan Holme [mailto:[EMAIL PROTECTED]
 Sent: Thu 5/19/2005 10:16 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?
 
 Two more notes on this issue: 
 
 1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, 
 now, WHY lag sites are so popular.  Yes, there are third 
 party products (particularly Quest Recovery Manager) that 
 work quite well if you have a budget for that.  Here's my 
 take as to why my IT budget shouldn't be spent on those tools 
 (and *should* be spent on OTHER tools by some of those same 
 companies).
 
 a) Deleted objects can be avoided with proper 
 delegation.  It's so important that you properly delegate and 
 properly use accounts with administrative logon (i.e. with 
 'secondary logon' only) that this trumps just about 
 everything.  At most of my clients, NOBODY (from a practical 
 perspective) can delete users or groups.  We have a process 
 we call graveyarding, whereby an account is tagged (using a 
 variety of methods) and, with a SCRIPT, moved to an OU where 
 they stay for 90 days before being deleted (again, only by 
 the SCRIPT).  The only other accounts that can delete users 
 and groups are the super-high admins (e.g. Domain Admins 
 equivalents).  This is only a piece of the picture, but it is 
 an important piece.
 
 b) Deleted objects can be restored for FREE using 
 ADRESTORE from Sysinternals.  Granted, this tool brings back 
 only the object (SID, GUID, DN, CN) but that's all that 
 really matters, right?  The best (FREE) approaches we take at 
 clients include *regularly* logging group memberships in a 
 custom database (to compare to last-knowns and watch for 
 issues easily and free

RE: [ActiveDir] AD DR - replication lag site----Why not?

[Brett Shirley]

Ummm ... U .

Not sure what I'm allowed to say.  Ok, I just had a long conversation with
Stuart ... it'll take me awhile to write up something a little more
accurate than the below.  More to come ...

Cheers,
-BrettSh [msft]



On Fri, 20 May 2005, Rick Kingslan wrote:

 Well - then I guess that I don't have a problem with Recovery Manager
 anymore then.  :o)
 
  
 
 (Cost, however might be an issue...  Don't know - never priced it because of
 concern stated Now mitigated)
 
  
 
 But, I'm not likely to retire my Lag Site, nonetheless!  Don't want to fix
 what's not broke, Todd.
 
  
 
 Rick Kingslan  MCSE, MCSA, MCT, CISSP
 Microsoft MVP:
 Windows Server / Directory Services
 Windows Server / Rights Management
 Windows Security (Affiliate)
 Associate Expert
 Expert Zone - www.microsoft.com/windowsxp/expertzone
 WebLog - www.msmvps.com/willhack4food
 
   _  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
 (NIH/CC/DNA)
 Sent: Friday, May 20, 2005 11:51 AM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not?
 
  
 
 Disagree Rick,
 
  
 
 MS changed the verbiage in the Q article to say they would support it.  I
 think it was when Stewart and I got into it a little here that caused them
 to rethink the Q article... but I don't want to take the credit.
 
  
 
 Todd
 
  
 
  
 
  
 
  
 
   _  
 
 From: Rick Kingslan [mailto:[EMAIL PROTECTED]
 Sent: Thu 5/19/2005 11:12 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not?
 
 Todd - 
 
 I personally don't have a problem with Recovery Manager. 
 
 That being said - Last I checked, Microsoft still didn't allow it as a 
 SUPPORTABLE solution for the purpose under discussion. 
 
 With our company being an Enterprise Agreement customer with a PSS agreement
 
 scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I 
 can't allow anything into the environment that would put us at risk. 
 
 Besides, being an EA customer has the benefit of the solution that I 
 proposed being pretty low-cost, given the overall benefits.  And, I don't 
 find NTDSUTIL overly difficult or intensive to use. 
 
 But, that's just me. 
 
 -rtk 
 
 -Original Message- 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
 (NIH/CC/DNA) 
 Sent: Thursday, May 19, 2005 8:34 AM 
 To: ActiveDir@mail.activedir.org 
 Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? 
 
 Is it cheaper and more efficient to go the replication lag site route than 
 buy a proper backup and object level restore solution?  
 
 I mean not to toot a vendor's horn, but Quest recovery manager turns the 
 process of restoring objects into a 15 minute click click operation.  I 
 would hate to think of the number of steps you all must do to reanimate the 
 object in a directory using the Recovery Site. 
 
 From a operations standpoint, there is no substitute for a proper backup 
 solution and object level restore utility for AD. 
 
 Thanks, 
 
 Todd Myrick 
 
 -Original Message- 
 From: TIROA YANN [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, May 19, 2005 4:20 AM 
 To: ActiveDir@mail.activedir.org 
 Subject: RE: [ActiveDir] AD DR - replication lag site 
 
 Neil, 
 
 I now understand... I'm a new man by now thanks to the mysterious lag site 
 that have been revealed to me :-)) 
 
 Thanks a lot for your explanations. 
 
 Cordialement, 
 
 Yann TIROA 
 
 Centre de Ressources Informatique. 
 Campus Scientifique de la DOUA. 
 Bât. Gabriel Lippmann - 2 ème étage - salle 238. 
 43, Bd du 11 Novembre 1918. 
 69622 Villeurbanne Cedex. 
 
  
 
 -Message d'origine- 
 De : [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil 
 Envoyé : jeudi 19 mai 2005 10:09 
 À : 'ActiveDir@mail.activedir.org' 
 Objet : RE: [ActiveDir] AD DR - replication lag site 
 
 If the deletion occurs on DC1, then a DC (DC2) in the lag site will not 
 receive the deletion immediately. You therefore have a window of opportunity
 
 in which the deletion may be 'undone'. 
 
 The deleted object may be auth restored on DC2 and thus replicated / 
 reanimated on DC1 (and any other DC which has received the deletion). 
 
 [My terminology may not be acceptable to some - I have deliberately 
 explained this in simplistic terms :)] 
 
 neil 
 
  
 
 -Original Message- 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN 
 Sent: 19 May 2005 08:54 
 To: ActiveDir@mail.activedir.org 
 Subject: RE: [ActiveDir] AD DR - replication lag site 
 
  
 
 Hello, 
 
 I must apologize, but i'm a little bit confused. You said With a lag site, 
 you ONLY have to do an authoritative restore (NTDSUTIL). 
 
 Do you mean if i delete my OU in DC in site A, all i have to do is do an 
 autoritative restore, not on site A, BUT on DC on lag site, reboot, and 
 dforce replication to site

RE: [ActiveDir] AD DR - replication lag site----Why?

[joe]

This is pretty easily overcome. You simply modify the schema and tell it not
to scrub all of the entries. This doesn't work for everything but can
definitely get you close. Coupled with an AD/AM to maintain last known
states and you can easily and freely recover your data. 

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Friday, May 20, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

You are correct there are free tools to do a restore of objects. There is
one problem though with deleting and reanimating objects. When an object is
deleted almost all info is stripped from it besides some important
attributes (SID, GUID, etc) If you reanimate the object you'll get a
stripped object and all other info (attributes) is NOT restored because it
is not available anymore. That is where the third-party tools and the LAG
site come in... Preserving a copy of the object and all of its info
(attributes)

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: Thursday, May 19, 2005 16:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Two more notes on this issue:

1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites
are so popular.  Yes, there are third party products (particularly Quest
Recovery Manager) that work quite well if you have a budget for that.
Here's my take as to why my IT budget shouldn't be spent on those tools (and
*should* be spent on OTHER tools by some of those same companies).
a) Deleted objects can be avoided with proper delegation.  It's so
important that you properly delegate and properly use accounts with
administrative logon (i.e. with 'secondary logon' only) that this trumps
just about everything.  At most of my clients, NOBODY (from a practical
perspective) can delete users or groups.  We have a process we call
graveyarding, whereby an account is tagged (using a variety of methods) and,
with a SCRIPT, moved to an OU where they stay for 90 days before being
deleted (again, only by the SCRIPT).  The only other accounts that can
delete users and groups are the super-high admins (e.g. Domain Admins
equivalents).  This is only a piece of the picture, but it is an important
piece.
b) Deleted objects can be restored for FREE using ADRESTORE from
Sysinternals.  Granted, this tool brings back only the object (SID, GUID,
DN, CN) but that's all that really matters, right?  The best (FREE)
approaches we take at clients include *regularly* logging group memberships
in a custom database (to compare to last-knowns and watch for issues easily
and free-ly).  So when we restore a group we can repopulate membership
quickly, anyway.  So with good processes, it's FREE and easy to restore
objects in most situations.
c) Windows Server 2003 SP1 adds a feature that makes reanimating
Groups MUCH easier when you have deleted groups  users.  No more auth
restore two times necessary. (Haven't seen it?  Do an auth restore on a
group on an SP1 DC and find the LDIF file it creates!!)
d) that leaves only really nasty deletions (e.g. an entire OU),
which, given a  b, will probably never happen.  And when they do, an auth
restore on a lag site takes a very short time.
e) therefore, I save my IT budget and use the $ on tools to aid
provisioning, auditing  monitoring, again to avoid problems in the first
place.

2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've
heard of, and that we're testing, is to stop the NetLogon service on the lag
DCs.  There are several ways to avoid it restarting when/if the DC is
rebooted.  The article referenced in the ORIGINAL post suggested modifying
which SRV records are registered.  This should work, I'd guess, and is more
elegant.  The trick is that SRV records are not registered.  The A records
still are, so DCs should be able to find each other and replicate
successfully, but clients won't 'see' the DCs as a viable authentication
option.  I've not tried that approach but it sounded really good.

3) OK, three notes.  LAG SITES can be done with DCs in a site with a long
replication interval, or by changing the replication WINDOW (schedule).
It's a good idea to have TWO lag sites on alternating frequencies, to avoid
a situation where something awful happens just before a lag site happens to
replicate.  Someone detailed this earlier, and it's a good note!

Dan
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Thursday, May 19, 2005 6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution?  

I mean not to toot

RE: [ActiveDir] AD DR - replication lag site----Why?

[joe]

I would tend to agree with what David is saying from what I have seen of lag
sites as well.

Not many people, relatively, doing it, those that are are likely to be doing
it in a rough shod way. 

I am not a huge fan of lag sites. I think they are ok, but for instance
didn't think they deserved 3 or 4 different speakers talking about it at the
DEC in DC a couple of years ago. 

I am far more interested in taking away the rights from people to do the
stupid deletions in the first place like was mentioned previously.
Seriously, I have done 0, count them, 0 restores of objects in production
and have been involved in some rather seriously sized implementations, 5
years of lead AD tech for a Fortune 5 directory. The lax decision of
accidental deletions happen is not a mentality I am like to subscribe to. If
someone deleted something, my feeling is, they knew what they were doing and
they were adequately aware of what they did. 

First off, don't delete right off. Disable, rename, and move. 

Second off, don't do admin through the GUI, too easy to click on an OU when
deleting than a single user. 

Third off, don't let people have the power to delete things. Let them
request deletes of automated systems that are designed to follow good rules
so appear to be smarter than the admins. 

There were mentions of supportability, etc. I would not be surprised to hear
MS say this is supported. Honestly, it isn't that whacky from a technical
standpoint. However, if someone has gone the supportability review process I
*HIGHLY* recommend they keep any and all docs with the names of the MS
people involved locked up and saved. I have had it occur more than once over
the years where I was told something was supported and fine and then several
years later have them looking at me saying they would never have approved
this or that. Some of the times I didn't have docs and was screwed as MS I
have found is fond of saying we don't have any documentation of that being
said or being done, other times I had docs and then I see PSS trying to
find reasons why they missed the issue or something else in the doc not
being followed that they try to imply makes the whole thing moot.
Unfortunately PSS will declare a lot of things as unsupportable even if they
have no good answer themselves, for instance, scripted GPO deployment
pre-GPMC. There were several years there that people were forced to come up
with their own mechanisms for scripted GPO deployment before GPMC was
released because the normal GUI just wouldn't cut it, they are all
unsupported by MS. Unfortunately companies won't tend to find out until they
contact MS about it or PSS stumbles upon it. 

Back to lag sites, you, of course, have the possibilities of directory
corruption, etc where you lose the entire directory in one fell swoop. A lag
site could be used here but an auth restore is probably not going to be what
you need to save you, you need to rebuild everything. Personally over a lag
site I would use a site with a bunch of virtual DCs that you are taking down
together and backing up the disk images of and then if you need to roll
back, you pick the day or 4,6,8,12 hour period and roll back to it once
everything else has been taken offline and you build the rest of your
environment back out from this seed environment. This gives you the
additional benefit of having an environment you can take into a segregated
lab and test stuff any time you need to. It just needs to be done right or
you will have Brett snickering at you.

As I mentioned in an earlier post, if you are afraid of deleted objects, I
would recommend judicious use of searchflags0x08 and admod with the -undel
option. Couple that with a simple AD/AM directory that you don't let your
loose cannon admins to have access to and you can pretty easily get things
back. 


  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, May 20, 2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Using my non-scientific personal observations, of the last 50 or so
customers I've been to I believe only 3 had lag sites.  Of those 3, none had
done what I'd call a good job of setting it up (they had basically just
created a separate site with a longer replication interval).  Of the other
~47, perhaps half knew of lag sites and were either interested in the
concept or had plans to implement them.  How many actually will I can't say.
These are all Premier customers.

So, based on my personal experience, I'm more inclined to agree with Todd.
I think, however, that over the next couple years lag sites will become the
norm as virtualization becomes commonplace and best practices are better
documented and understood.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Friday, May 20, 2005 15:49
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD

RE: [ActiveDir] AD DR - replication lag site

[TIROA YANN]

 


Cordialement,

Yann TIROA

Centre de Ressources Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne Cedex.



-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan
Envoyé : mercredi 18 mai 2005 16:44
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD DR - replication lag site

(Caveat - I didn't go read the article fairly certain what this is
about)

I've implemented something quite similar to this in my environment - except I 
did it quite a bit differently - and, I think that it's a very viable DR and 
near-line recovery solution.

What we did in our Enterprise was to standup a VMWare server at our DR site 
(VERY well connected - it's a warm site) and created 8 DC instances with repl 
schedules from 30 minutes to 1 month.  In the event that we have a BIG problem, 
or a small on (we had one of our remote site Admins delete his whole computers 
OU for his site) we are able to do an authoritative restore (or a non-auth, 
then auth, depending on circumstances) to correct a problem of this type.

Me, personally - I sleep much better knowing that I have this system in place.  
It works for us, and we also used a similar process to protect us from major 
problems during our schema upgrades for Win2k3 and Exchange 2k3 (as well as 
Cisco Unity and CallManager).

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 8:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html
(You may need to register)

Basically it states that you should create another AD site and set the 
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
BEGIN:VCARD
VERSION:2.1
N:TIROA;YANN
FN:TIROA YANN
ORG:Université Claude Bernard Lyon I;Environnement Numérique de Travail
TITLE:Assistant Ingénieur
TEL;WORK;VOICE:04 26 23 44 25
ADR;WORK:;;;Villeurbanne Cedex;69;69622;FRANCE
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Villeurbanne Cedex, 69 69622=0D=0AFRANCE
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20050517T124542Z
END:VCARD

RE: [ActiveDir] AD DR - replication lag site

[TIROA YANN]

Hello,

Thanks for this interesting tips, but i didn't really understand the
behind the techno  of a lag site in case of just a deletion of an
entire OU with many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the
deletion, and do an autoritative restore in dsmode and after rebbot,
wait for replication to take place in order to repopulate all my domain
with my OU restored. So what will the lag site help me in this situation
?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be
restored in site A such as copy my domain from the lag site by doing a
dcpromo /adv, and go my freshly installed DCs on site A, and restored my
whole domain. 
However, I think i will have more updated information by restoring from
my yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag
site, i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

BEGIN:VCARD
VERSION:2.1
N:TIROA;YANN
FN:TIROA YANN
ORG:Université Claude Bernard Lyon I;Environnement Numérique de Travail
TITLE:Assistant Ingénieur
TEL;WORK;VOICE:04 26 23 44 25
ADR;WORK:;;;Villeurbanne Cedex;69;69622;FRANCE
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Villeurbanne Cedex, 69 69622=0D=0AFRANCE
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20050517T124542Z
END:VCARD

RE: [ActiveDir] AD DR - replication lag site

[Dan Holme]

The major issue is the SPEED of recovery.  With a lag site, you ONLY
have to do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape
('normal' restore), which can take quite some time Then, and only
then, can you do the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the
behind the techno  of a lag site in case of just a deletion of an
entire OU with many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the
deletion, and do an autoritative restore in dsmode and after rebbot,
wait for replication to take place in order to repopulate all my domain
with my OU restored. So what will the lag site help me in this situation
?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be
restored in site A such as copy my domain from the lag site by doing a
dcpromo /adv, and go my freshly installed DCs on site A, and restored my
whole domain. 
However, I think i will have more updated information by restoring from
my yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag
site, i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[Ruston, Neil]

That solution is fine until the machine is rebooted and netlogon starts again
:)

Why not change the DNS SRV record priorities/weights? Or alternatively, place
the DC in a separate site, which consists of just 1 subnet (i.e. the subnet
where the DC itself lives).

If DNS records are removed, then the DC will fail to authenticate and
replicate with other DCs.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: 18 May 2005 23:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


I have several large clients who are going this direction and are in testing
right now.  Things look quite good.

I had read somewhere that an alternative approach to preventing authentication
to the 'lag' DCs was to stop the Netlogon service.  The approach of removing
DNS records seems more elegant, and I'll be interested to hear ppls thoughts
on these alternatives.



Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
l
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[TIROA YANN]

Hello,

I must apologize, but i'm a little bit confused. You said With a lag site, you 
ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an 
autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce 
replication to site A ? And the non-autoritative restore will be in fact the 
data on the lag site, that explain your prévious sentence ?
Waou! That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme
Envoyé : jeudi 19 mai 2005 08:51
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to do 
an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal' 
restore), which can take quite some time Then, and only then, can you do 
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind 
the techno  of a lag site in case of just a deletion of an entire OU with many 
objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion, 
and do an autoritative restore in dsmode and after rebbot, wait for replication 
to take place in order to repopulate all my domain with my OU restored. So what 
will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A crashed. 
So i would take all informations from the lag site to be restored in site A 
such as copy my domain from the lag site by doing a dcpromo /adv, and go my 
freshly installed DCs on site A, and restored my whole domain. 
However, I think i will have more updated information by restoring from my 
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site, i 
thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[Ruston, Neil]

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive 
the deletion immediately. You therefore have a window of opportunity in which 
the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated / reanimated 
on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately explained 
this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site, you 
ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an 
autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce 
replication to site A ? And the non-autoritative restore will be in fact the 
data on the lag site, that explain your prévious sentence ? Waou! That's very 
celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé 
: jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: 
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to do 
an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal' 
restore), which can take quite some time Then, and only then, can you do 
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind 
the techno  of a lag site in case of just a deletion of an entire OU with many 
objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion, 
and do an autoritative restore in dsmode and after rebbot, wait for replication 
to take place in order to repopulate all my domain with my OU restored. So what 
will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A crashed. 
So i would take all informations from the lag site to be restored in site A 
such as copy my domain from the lag site by doing a dcpromo /adv, and go my 
freshly installed DCs on site A, and restored my whole domain. 
However, I think i will have more updated information by restoring from my 
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site, i 
thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[TIROA YANN]

Neil, 

I now understand... I'm a new man by now thanks to the mysterious lag site that 
have been revealed to me :-))

Thanks a lot for your explanations.

Cordialement,

Yann TIROA

Centre de Ressources Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne Cedex.



-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil
Envoyé : jeudi 19 mai 2005 10:09
À : 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive 
the deletion immediately. You therefore have a window of opportunity in which 
the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated / reanimated 
on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately explained 
this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site, you 
ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an 
autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce 
replication to site A ? And the non-autoritative restore will be in fact the 
data on the lag site, that explain your prévious sentence ? Waou! That's very 
celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé 
: jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: 
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to do 
an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal' 
restore), which can take quite some time Then, and only then, can you do 
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind 
the techno  of a lag site in case of just a deletion of an entire OU with many 
objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion, 
and do an autoritative restore in dsmode and after rebbot, wait for replication 
to take place in order to repopulate all my domain with my OU restored. So what 
will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A crashed. 
So i would take all informations from the lag site to be restored in site A 
such as copy my domain from the lag site by doing a dcpromo /adv, and go my 
freshly installed DCs on site A, and restored my whole domain. 
However, I think i will have more updated information by restoring from my 
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site, i 
thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive 
any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this 
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http

RE: [ActiveDir] AD DR - replication lag site----Why?

[Myrick, Todd (NIH/CC/DNA)]

Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the
process of restoring objects into a 15 minute click click operation.  I
would hate to think of the number of steps you all must do to reanimate the
object in a directory using the Recovery Site.

From a operations standpoint, there is no substitute for a proper backup
solution and object level restore utility for AD.

Thanks,

Todd Myrick

-Original Message-
From: TIROA YANN [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 19, 2005 4:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Neil, 

I now understand... I'm a new man by now thanks to the mysterious lag site
that have been revealed to me :-))

Thanks a lot for your explanations.

Cordialement,

Yann TIROA

Centre de Ressources Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne Cedex.



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Ruston, Neil
Envoyé : jeudi 19 mai 2005 10:09
À : 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error

RE: [ActiveDir] AD DR - replication lag site----Why?

[Dan Holme]

Two more notes on this issue:

1) THIRD PARTY AD RESTORE TOOLS.  Sounds like it's clear, now, WHY lag sites 
are so popular.  Yes, there are third party products (particularly Quest 
Recovery Manager) that work quite well if you have a budget for that.  Here's 
my take as to why my IT budget shouldn't be spent on those tools (and *should* 
be spent on OTHER tools by some of those same companies).
a) Deleted objects can be avoided with proper delegation.  It's so 
important that you properly delegate and properly use accounts with 
administrative logon (i.e. with 'secondary logon' only) that this trumps just 
about everything.  At most of my clients, NOBODY (from a practical perspective) 
can delete users or groups.  We have a process we call graveyarding, whereby an 
account is tagged (using a variety of methods) and, with a SCRIPT, moved to an 
OU where they stay for 90 days before being deleted (again, only by the 
SCRIPT).  The only other accounts that can delete users and groups are the 
super-high admins (e.g. Domain Admins equivalents).  This is only a piece of 
the picture, but it is an important piece.
b) Deleted objects can be restored for FREE using ADRESTORE from 
Sysinternals.  Granted, this tool brings back only the object (SID, GUID, DN, 
CN) but that's all that really matters, right?  The best (FREE) approaches we 
take at clients include *regularly* logging group memberships in a custom 
database (to compare to last-knowns and watch for issues easily and free-ly).  
So when we restore a group we can repopulate membership quickly, anyway.  So 
with good processes, it's FREE and easy to restore objects in most situations.
c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups 
MUCH easier when you have deleted groups  users.  No more auth restore two 
times necessary. (Haven't seen it?  Do an auth restore on a group on an SP1 DC 
and find the LDIF file it creates!!)
d) that leaves only really nasty deletions (e.g. an entire OU), which, 
given a  b, will probably never happen.  And when they do, an auth restore on 
a lag site takes a very short time.
e) therefore, I save my IT budget and use the $ on tools to aid 
provisioning, auditing  monitoring, again to avoid problems in the first place.

2) PREVENTING AUTHENTICATION ON LAG SITE.  As I mentioned, the method I've 
heard of, and that we're testing, is to stop the NetLogon service on the lag 
DCs.  There are several ways to avoid it restarting when/if the DC is rebooted. 
 The article referenced in the ORIGINAL post suggested modifying which SRV 
records are registered.  This should work, I'd guess, and is more elegant.  The 
trick is that SRV records are not registered.  The A records still are, so DCs 
should be able to find each other and replicate successfully, but clients won't 
'see' the DCs as a viable authentication option.  I've not tried that approach 
but it sounded really good.

3) OK, three notes.  LAG SITES can be done with DCs in a site with a long 
replication interval, or by changing the replication WINDOW (schedule).  It's a 
good idea to have TWO lag sites on alternating frequencies, to avoid a 
situation where something awful happens just before a lag site happens to 
replicate.  Someone detailed this earlier, and it's a good note!

Dan
 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DNA)
Sent: Thursday, May 19, 2005 6:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the
process of restoring objects into a 15 minute click click operation.  I
would hate to think of the number of steps you all must do to reanimate the
object in a directory using the Recovery Site.

From a operations standpoint, there is no substitute for a proper backup
solution and object level restore utility for AD.

Thanks,

Todd Myrick

-Original Message-
From: TIROA YANN [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 19, 2005 4:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Neil, 

I now understand... I'm a new man by now thanks to the mysterious lag site
that have been revealed to me :-))

Thanks a lot for your explanations.

Cordialement,

Yann TIROA

Centre de Ressources Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne Cedex.



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Ruston, Neil
Envoyé : jeudi 19 mai 2005 10:09
À : 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive

RE: [ActiveDir] AD DR - replication lag site

[Marcus.Oh]

For those of you that are a MOM environment and have created a lag site, how 
are you overcoming the replication latency messages?

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 4:09 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive 
the deletion immediately. You therefore have a window of opportunity in which 
the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated / reanimated 
on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately explained 
this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site, you 
ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an 
autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce 
replication to site A ? And the non-autoritative restore will be in fact the 
data on the lag site, that explain your prévious sentence ? Waou! That's very 
celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé 
: jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: 
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to do 
an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal' 
restore), which can take quite some time Then, and only then, can you do 
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind 
the techno  of a lag site in case of just a deletion of an entire OU with many 
objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion, 
and do an autoritative restore in dsmode and after rebbot, wait for replication 
to take place in order to repopulate all my domain with my OU restored. So what 
will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A crashed. 
So i would take all informations from the lag site to be restored in site A 
such as copy my domain from the lag site by doing a dcpromo /adv, and go my 
freshly installed DCs on site A, and restored my whole domain. 
However, I think i will have more updated information by restoring from my 
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site, i 
thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[Rick Kingslan]

Just two things...

Disable Netlogon.  If it's disabled as a policy or by going to services and
changing the service properties, restarting on reboot won't be an issue.
Disabled is disabled, regardless.

As to DNS records, I suppose that if the Netlogon service is disabled
(primary for registering the SRV records) one could remove the _kerberos
records for the lag site servers.  I can pretty much assure that without
Kerberos records, the DCs will not be offered up as authN points.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 2:46 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

That solution is fine until the machine is rebooted and netlogon starts
again
:)

Why not change the DNS SRV record priorities/weights? Or alternatively,
place
the DC in a separate site, which consists of just 1 subnet (i.e. the subnet
where the DC itself lives).

If DNS records are removed, then the DC will fail to authenticate and
replicate with other DCs.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: 18 May 2005 23:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


I have several large clients who are going this direction and are in testing
right now.  Things look quite good.

I had read somewhere that an alternative approach to preventing
authentication
to the 'lag' DCs was to stop the Netlogon service.  The approach of removing
DNS records seems more elegant, and I'll be interested to hear ppls thoughts
on these alternatives.



Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
l
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[Rick Kingslan]

Yann, 

If you remember the situation that I proposed for you (it's working in my
environment today, so I'm fairly certain of its viability) I use a VMWare
server with multiple DC instances.  Each instance is staggered for
replication - from 30 minutes to 30 days.

In the instance of a problem in which an object needs to be restored, an
authoritative restore is done on the correct DC (based on when the deletion
was noticed, and which lag site DC has the most current information) and the
replication is forced.

So, if I read your message correctly, I think that you've got the picture of
what is going on here.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Thursday, May 19, 2005 2:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ?
Waou! That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme
Envoyé : jeudi 19 mai 2005 08:51
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site----Why not?

[Rick Kingslan]

Todd - 

I personally don't have a problem with Recovery Manager.

That being said - Last I checked, Microsoft still didn't allow it as a
SUPPORTABLE solution for the purpose under discussion.

With our company being an Enterprise Agreement customer with a PSS agreement
scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I
can't allow anything into the environment that would put us at risk.

Besides, being an EA customer has the benefit of the solution that I
proposed being pretty low-cost, given the overall benefits.  And, I don't
find NTDSUTIL overly difficult or intensive to use.

But, that's just me.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Thursday, May 19, 2005 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag siteWhy?

Is it cheaper and more efficient to go the replication lag site route than
buy a proper backup and object level restore solution?  

I mean not to toot a vendor's horn, but Quest recovery manager turns the
process of restoring objects into a 15 minute click click operation.  I
would hate to think of the number of steps you all must do to reanimate the
object in a directory using the Recovery Site.

From a operations standpoint, there is no substitute for a proper backup
solution and object level restore utility for AD.

Thanks,

Todd Myrick

-Original Message-
From: TIROA YANN [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 19, 2005 4:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Neil, 

I now understand... I'm a new man by now thanks to the mysterious lag site
that have been revealed to me :-))

Thanks a lot for your explanations.

Cordialement,

Yann TIROA

Centre de Ressources Informatique.
Campus Scientifique de la DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11 Novembre 1918.
69622 Villeurbanne Cedex.



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Ruston, Neil
Envoyé : jeudi 19 mai 2005 10:09
À : 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs

RE: [ActiveDir] AD DR - replication lag site

[Rick Kingslan]

Marcus,

I kill off the specific rules on those servers.  If I'm not interested in a
particular message, it's gone.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

For those of you that are a MOM environment and have created a lag site, how
are you overcoming the replication latency messages?

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 4:09 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http

RE: [ActiveDir] AD DR - replication lag site

[Ruston, Neil]

I guess I find my solution more elegant and cheaper to manage/maintain. I try 
to avoid implementing changes to one DC but not others. The TCO tends to go 
thru the roof :)

DCs placed in a separate site and/or configured with different SRV weightings 
via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be 
added to that site (from other domains for example) with minimal effort and 
changes to docs/processes etc.

neil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: 19 May 2005 15:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site



Just two things...

Disable Netlogon.  If it's disabled as a policy or by going to services and 
changing the service properties, restarting on reboot won't be an issue. 
Disabled is disabled, regardless.

As to DNS records, I suppose that if the Netlogon service is disabled (primary 
for registering the SRV records) one could remove the _kerberos records for the 
lag site servers.  I can pretty much assure that without Kerberos records, the 
DCs will not be offered up as authN points.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 2:46 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

That solution is fine until the machine is rebooted and netlogon starts again
:)

Why not change the DNS SRV record priorities/weights? Or alternatively, place 
the DC in a separate site, which consists of just 1 subnet (i.e. the subnet 
where the DC itself lives).

If DNS records are removed, then the DC will fail to authenticate and replicate 
with other DCs.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: 18 May 2005 23:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


I have several large clients who are going this direction and are in testing 
right now.  Things look quite good.

I had read somewhere that an alternative approach to preventing authentication 
to the 'lag' DCs was to stop the Netlogon service.  The approach of removing 
DNS records seems more elegant, and I'll be interested to hear ppls thoughts on 
these alternatives.



Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
l
(You may need to register)

Basically it states that you should create another AD site and set the 
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this 
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http

RE: [ActiveDir] AD DR - replication lag site

[Rick Kingslan]

You're right - to each his own.  I don't fully understand how disabling
Netlogon on dedicated Lag Site servers is going to raise TCO.  And, if the
precedent is set that if a DC goes into the Lag Site that the Netlogon
service is disabled - again, I don't really understand how that would add
effort or complexity.

SRV weighting via GPO.  Huh.  That's one I've not seen.  Which policy
element would allow that?

And, make no mistake - the Lag Site procedure pretty much relies on the DR
DCs being in a separate, and quite distinct, site with very different
settings from what I would implement as 'Production-based' DCs.  I guess
that's one reason why I have them deployed to my warm site, rather than in
the data center.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 11:01 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

I guess I find my solution more elegant and cheaper to manage/maintain. I
try to avoid implementing changes to one DC but not others. The TCO tends to
go thru the roof :)

DCs placed in a separate site and/or configured with different SRV
weightings via GPO can/does work and is simpler to manage IMHO. Additional
DCs can then be added to that site (from other domains for example) with
minimal effort and changes to docs/processes etc.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: 19 May 2005 15:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site



Just two things...

Disable Netlogon.  If it's disabled as a policy or by going to services and
changing the service properties, restarting on reboot won't be an issue.
Disabled is disabled, regardless.

As to DNS records, I suppose that if the Netlogon service is disabled
(primary for registering the SRV records) one could remove the _kerberos
records for the lag site servers.  I can pretty much assure that without
Kerberos records, the DCs will not be offered up as authN points.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 2:46 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

That solution is fine until the machine is rebooted and netlogon starts
again
:)

Why not change the DNS SRV record priorities/weights? Or alternatively,
place the DC in a separate site, which consists of just 1 subnet (i.e. the
subnet where the DC itself lives).

If DNS records are removed, then the DC will fail to authenticate and
replicate with other DCs.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
Sent: 18 May 2005 23:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


I have several large clients who are going this direction and are in testing
right now.  Things look quite good.

I had read somewhere that an alternative approach to preventing
authentication to the 'lag' DCs was to stop the Netlogon service.  The
approach of removing DNS records seems more elegant, and I'll be interested
to hear ppls thoughts on these alternatives.




Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
l
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any confidentiality or privilege. CS retains and monitors electronic 
communications sent through its network. Instructions transmitted over this
system are not binding on CS until they are confirmed by us. Message 
transmission is not guaranteed to be secure. 

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org

Re: [ActiveDir] AD DR - replication lag site

[A P]

Not sure if this is what you need.   In any case, the GPO setting
related to disabling Generic SRV record registrations and SRV
weighting can be found under the Computer Configuration Node of a GPO:

Administrative Templates
  System
Netlogon
  DC Locator DNS Records

These settings are disccused in Chapter 4: Planning DNS of the Windows
Server 2003 Active Directory Branch Office Deployment Guide.

-Arden


On 5/19/05, Rick Kingslan [EMAIL PROTECTED] wrote:
 You're right - to each his own.  I don't fully understand how disabling
 Netlogon on dedicated Lag Site servers is going to raise TCO.  And, if the
 precedent is set that if a DC goes into the Lag Site that the Netlogon
 service is disabled - again, I don't really understand how that would add
 effort or complexity.
 
 SRV weighting via GPO.  Huh.  That's one I've not seen.  Which policy
 element would allow that?
 
 And, make no mistake - the Lag Site procedure pretty much relies on the DR
 DCs being in a separate, and quite distinct, site with very different
 settings from what I would implement as 'Production-based' DCs.  I guess
 that's one reason why I have them deployed to my warm site, rather than in
 the data center.
 
 -rtk
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
 Sent: Thursday, May 19, 2005 11:01 AM
 To: 'ActiveDir@mail.activedir.org'
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 I guess I find my solution more elegant and cheaper to manage/maintain. I
 try to avoid implementing changes to one DC but not others. The TCO tends to
 go thru the roof :)
 
 DCs placed in a separate site and/or configured with different SRV
 weightings via GPO can/does work and is simpler to manage IMHO. Additional
 DCs can then be added to that site (from other domains for example) with
 minimal effort and changes to docs/processes etc.
 
 neil
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: 19 May 2005 15:59
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 
 
 Just two things...
 
 Disable Netlogon.  If it's disabled as a policy or by going to services and
 changing the service properties, restarting on reboot won't be an issue.
 Disabled is disabled, regardless.
 
 As to DNS records, I suppose that if the Netlogon service is disabled
 (primary for registering the SRV records) one could remove the _kerberos
 records for the lag site servers.  I can pretty much assure that without
 Kerberos records, the DCs will not be offered up as authN points.
 
 -rtk
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
 Sent: Thursday, May 19, 2005 2:46 AM
 To: 'ActiveDir@mail.activedir.org'
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 That solution is fine until the machine is rebooted and netlogon starts
 again
 :)
 
 Why not change the DNS SRV record priorities/weights? Or alternatively,
 place the DC in a separate site, which consists of just 1 subnet (i.e. the
 subnet where the DC itself lives).
 
 If DNS records are removed, then the DC will fail to authenticate and
 replicate with other DCs.
 
 neil
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
 Sent: 18 May 2005 23:12
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 
 I have several large clients who are going this direction and are in testing
 right now.  Things look quite good.
 
 I had read somewhere that an alternative approach to preventing
 authentication to the 'lag' DCs was to stop the Netlogon service.  The
 approach of removing DNS records seems more elegant, and I'll be interested
 to hear ppls thoughts on these alternatives.
 
 
 
 
 Dan
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Danny
 Sent: Wednesday, May 18, 2005 6:45 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] AD DR - replication lag site
 
 I am interested in your thoughts regarding this suggestion for DR:
 
 http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
 l
 (You may need to register)
 
 Basically it states that you should create another AD site and set the
 replication for 168 hours.
 
 Thank you,
 
 ...D
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 ==
 This message is for the sole use of the intended recipient. If you received
 this message in error please delete it and notify us. If this message

RE: [ActiveDir] AD DR - replication lag site

[Rick Kingslan]

Arden,

Perfect!

Thanks - I'll look it over.  I guess with a 1000+ entries, if I don't know
of a few, that means that track record is pretty good.

Thanks for the point

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of A P
Sent: Thursday, May 19, 2005 11:37 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD DR - replication lag site

Not sure if this is what you need.   In any case, the GPO setting
related to disabling Generic SRV record registrations and SRV
weighting can be found under the Computer Configuration Node of a GPO:

Administrative Templates
  System
Netlogon
  DC Locator DNS Records

These settings are disccused in Chapter 4: Planning DNS of the Windows
Server 2003 Active Directory Branch Office Deployment Guide.

-Arden


On 5/19/05, Rick Kingslan [EMAIL PROTECTED] wrote:
 You're right - to each his own.  I don't fully understand how disabling
 Netlogon on dedicated Lag Site servers is going to raise TCO.  And, if the
 precedent is set that if a DC goes into the Lag Site that the Netlogon
 service is disabled - again, I don't really understand how that would add
 effort or complexity.
 
 SRV weighting via GPO.  Huh.  That's one I've not seen.  Which policy
 element would allow that?
 
 And, make no mistake - the Lag Site procedure pretty much relies on the DR
 DCs being in a separate, and quite distinct, site with very different
 settings from what I would implement as 'Production-based' DCs.  I guess
 that's one reason why I have them deployed to my warm site, rather than in
 the data center.
 
 -rtk
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
 Sent: Thursday, May 19, 2005 11:01 AM
 To: 'ActiveDir@mail.activedir.org'
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 I guess I find my solution more elegant and cheaper to manage/maintain. I
 try to avoid implementing changes to one DC but not others. The TCO tends
to
 go thru the roof :)
 
 DCs placed in a separate site and/or configured with different SRV
 weightings via GPO can/does work and is simpler to manage IMHO. Additional
 DCs can then be added to that site (from other domains for example) with
 minimal effort and changes to docs/processes etc.
 
 neil
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: 19 May 2005 15:59
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 
 
 Just two things...
 
 Disable Netlogon.  If it's disabled as a policy or by going to services
and
 changing the service properties, restarting on reboot won't be an issue.
 Disabled is disabled, regardless.
 
 As to DNS records, I suppose that if the Netlogon service is disabled
 (primary for registering the SRV records) one could remove the _kerberos
 records for the lag site servers.  I can pretty much assure that without
 Kerberos records, the DCs will not be offered up as authN points.
 
 -rtk
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
 Sent: Thursday, May 19, 2005 2:46 AM
 To: 'ActiveDir@mail.activedir.org'
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 That solution is fine until the machine is rebooted and netlogon starts
 again
 :)
 
 Why not change the DNS SRV record priorities/weights? Or alternatively,
 place the DC in a separate site, which consists of just 1 subnet (i.e. the
 subnet where the DC itself lives).
 
 If DNS records are removed, then the DC will fail to authenticate and
 replicate with other DCs.
 
 neil
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme
 Sent: 18 May 2005 23:12
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] AD DR - replication lag site
 
 
 I have several large clients who are going this direction and are in
testing
 right now.  Things look quite good.
 
 I had read somewhere that an alternative approach to preventing
 authentication to the 'lag' DCs was to stop the Netlogon service.  The
 approach of removing DNS records seems more elegant, and I'll be
interested
 to hear ppls thoughts on these alternatives.
 
 
 
 
 Dan
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Danny
 Sent: Wednesday, May 18, 2005 6:45 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] AD DR - replication lag site
 
 I am interested in your thoughts regarding this suggestion for DR:
 
 http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
 l
 (You may need to register)
 
 Basically it states that you should create another AD site and set the
 replication for 168 hours.
 
 Thank you,
 
 ...D
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info

RE: [ActiveDir] AD DR - replication lag site

[Marcus.Oh]

Killing off the rules stops those particular DCs from running the latency 
rules... but how do you overcome the latency rules from any DC not in a lag 
site with connection objects to DCs in the lag site?

:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, May 19, 2005 11:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Marcus,

I kill off the specific rules on those servers.  If I'm not interested in a
particular message, it's gone.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

For those of you that are a MOM environment and have created a lag site, how
are you overcoming the replication latency messages?

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 4:09 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback.

Have a nice day :-)

Regards,

Yann 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received 
this message in error please delete it and notify us. If this message was 
misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not 
waive any

RE: [ActiveDir] AD DR - replication lag site

[Dan Holme]

Changing SRV weight is NOT ENOUGH because there is still a chance that they 
will be used for authentication (e.g. if higher weighted records don't respond 
to the LDAP bind by the client fast enough).   You must either prevent the SRV 
records from registering (per the originally-cited article, which I have not 
tried) or stop NetLogon or both.

All of these are minimal TCO impact because ALL can be done thru GPOs.  (e.g. 
Services policy to set NetLogon to disabled).

DDan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Killing off the rules stops those particular DCs from running the latency 
rules... but how do you overcome the latency rules from any DC not in a lag 
site with connection objects to DCs in the lag site?

:m:dsm:cci:mvp
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, May 19, 2005 11:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Marcus,

I kill off the specific rules on those servers.  If I'm not interested in a
particular message, it's gone.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 19, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

For those of you that are a MOM environment and have created a lag site, how
are you overcoming the replication latency messages?

:m:dsm:cci:mvp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, May 19, 2005 4:09 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD DR - replication lag site

If the deletion occurs on DC1, then a DC (DC2) in the lag site will not
receive the deletion immediately. You therefore have a window of opportunity
in which the deletion may be 'undone'.

The deleted object may be auth restored on DC2 and thus replicated /
reanimated on DC1 (and any other DC which has received the deletion).

[My terminology may not be acceptable to some - I have deliberately
explained this in simplistic terms :)]

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 19 May 2005 08:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site


Hello,

I must apologize, but i'm a little bit confused. You said With a lag site,
you ONLY have to do an authoritative restore (NTDSUTIL). 

Do you mean if i delete my OU in DC in site A, all i have to do is do an
autoritative restore, not on site A, BUT on DC on lag site, reboot, and
dforce replication to site A ? And the non-autoritative restore will be in
fact the data on the lag site, that explain your prévious sentence ? Waou!
That's very celver !!

Am I right ?

Regards,

Yann



-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé :
jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE:
[ActiveDir] AD DR - replication lag site

The major issue is the SPEED of recovery.  With a lag site, you ONLY have to
do an authoritative restore (NTDSUTIL).

Without a lag site, you must first restore the AD from backup tape ('normal'
restore), which can take quite some time Then, and only then, can you do
the auth restore.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Wednesday, May 18, 2005 11:46 PM
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DR - replication lag site

Hello,

Thanks for this interesting tips, but i didn't really understand the behind
the techno  of a lag site in case of just a deletion of an entire OU with
many objects.

For example,if I have AD 2003 domain with 2 sites:
Site A has 2 DCs
Site B has one DC and is the lag site
Between 2 sites, i scheduled repl to appear every 1 week.

In the situation of an OU deletion, i go to the DC i have made the deletion,
and do an autoritative restore in dsmode and after rebbot, wait for
replication to take place in order to repopulate all my domain with my OU
restored. So what will the lag site help me in this situation ?

I can understand that a lag site will help me if all my DCs in site A
crashed. So i would take all informations from the lag site to be restored
in site A such as copy my domain from the lag site by doing a dcpromo
/adv, and go my freshly installed DCs on site A, and restored my whole
domain. 
However, I think i will have more updated information by restoring from my
yerterday backup than from the lag site...

So, could you help me better understand the behind the techno of a lag site,
i thing i misunderstand something important ;-(

Thank you for your feedback

RE: [ActiveDir] AD DR - replication lag site

[Rick Kingslan]

(Caveat - I didn't go read the article fairly certain what this is
about)

I've implemented something quite similar to this in my environment - except
I did it quite a bit differently - and, I think that it's a very viable DR
and near-line recovery solution.

What we did in our Enterprise was to standup a VMWare server at our DR site
(VERY well connected - it's a warm site) and created 8 DC instances with
repl schedules from 30 minutes to 1 month.  In the event that we have a BIG
problem, or a small on (we had one of our remote site Admins delete his
whole computers OU for his site) we are able to do an authoritative restore
(or a non-auth, then auth, depending on circumstances) to correct a problem
of this type.

Me, personally - I sleep much better knowing that I have this system in
place.  It works for us, and we also used a similar process to protect us
from major problems during our schema upgrades for Win2k3 and Exchange 2k3
(as well as Cisco Unity and CallManager).

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 8:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD DR - replication lag site

[Dan Holme]

I have several large clients who are going this direction and are in
testing right now.  Things look quite good.

I had read somewhere that an alternative approach to preventing
authentication to the 'lag' DCs was to stop the Netlogon service.  The
approach of removing DNS records seems more elegant, and I'll be
interested to hear ppls thoughts on these alternatives.



Dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, May 18, 2005 6:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DR - replication lag site

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
l
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD DR - replication lag site

[A P]

We are implementing lag sites in our production AD environment.  We
used to have a lag site which we used to implement a schema change in
a controlled environment but we recently tore it down.  However, we
will be recreating the lag site as this is an essential piece of our
infrastructure.

The single lag site is cost effective and you can set your max
replication latency to 1 week, at most.  With this design, changes
that occur just prior to the replication schedule will get replicated
to the lag site.

This is one reason we are looking at implementing double lag sites in
our environment.  This will buy us a 2-week maximum delay replication.

You will also need to change the following registry key and account
for the lag site in your monitoring solution.

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator
latency error interval (hours)

As for preventing offsite authentication, an alternative may be to
disable registration of the generic SRV records for the target domain
controllers.  There are policy settings that are built-in to Windows
2003 that are discussed in detail in the DNS chapter of the  Branch
Office Deployment Guide for 2003.

- Arden

On 5/18/05, Dan Holme [EMAIL PROTECTED] wrote:
 I have several large clients who are going this direction and are in
 testing right now.  Things look quite good.
 
 I had read somewhere that an alternative approach to preventing
 authentication to the 'lag' DCs was to stop the Netlogon service.  The
 approach of removing DNS records seems more elegant, and I'll be
 interested to hear ppls thoughts on these alternatives.
 
 
 
 Dan
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Danny
 Sent: Wednesday, May 18, 2005 6:45 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] AD DR - replication lag site
 
 I am interested in your thoughts regarding this suggestion for DR:
 
 http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm
 l
 (You may need to register)
 
 Basically it states that you should create another AD site and set the
 replication for 168 hours.
 
 Thank you,
 
 ...D
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/