RE: [ActiveDir] AD DR - replication lag site----Why?
Using the powers of the MVP, I now officially pronounce this thread as complete :) Todd -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 4:12 PM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? (1) In the Netherlands when you own a car and you drive with it, by law you at least must have a basic insurance that covers liability. This simply means that when you cause damage with your car the other party gets paid to repair their damage. You, however, have to pay for your own damage. This is for those cases when most people cannot affort such high costs. This also applies to situations in IT. You'll always have to answer: how much can you affort when this or that occurs? What I'm trying to say here is: you implement a certain solution to accomodate those situations (in solving) when errors have been made by persons. People simply make mistakes and I agree it is better to prevent errors against repairing them. But again it is not always possible, because it costs too much money, or they simply don't care or they are not aware of the damage that can come from it, etc.. How many times have you heard it will not happen to me, only to others There are also a lot of people that only understand (or get interested in) what you are trying to say/explain when they are in deep sh*t. But then... it's too late and much more expensive solutions/activities must be used if sometimes a solution exists for the occasion. It is always the choice between: trying to save money now and spend a crap load later each time it happens or spend a little bit of money now and spend less money later. I believe in spending money now to save later (long-term thought). A lot of managers only think about spending as little money as possible. Eventual problems in the future are not problems at the moment (short term thought) (2) When I say rollback, there is nothing left of the forest to get a USN rollback and no worries of TLS. I understand that an old state of the virtual environment is only used when ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some of the activities mentioned in the MS DR WP are done like resetting all kinds of accounts/trusts) When I think about it now, you are right, I made a mistake, sorry for that. Yes, when giving life to virtual DCs that belong to the same old state of the virtual environment all those virtual DCs know about the state of the other DCs in the virtual environment. I do believe this solution provides a very fast recovery of the first DCs in the forest to be rebuild. With this solution and using the native way (restoring a backup) when the tombstone lifetime has passed (the virtual environment state of the backups used) you will experience event 2042 on all DCs (Event ID 2042: It has been too long since this machine replicated) After bringing the initial environment up you need to execute the steps as mentioned in the MS DR white paper. You especially need to think if everything really is down or the corrupt forest is still up to provide functionalities for the users while restoring a new forest in parallel. And yes, there are a lot of decisions to be made and each IS different for each company Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 7:05 PM Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? 1. I assume almost everyone has an insurance policy for their house if it burns down. In the US, you can't get a mortgage unless you get insurance. Ditto cars, loans require full coverage and local law enforcement requires some minimal level of insurance, you have no choice in the matter. A lot of people buy insurance not because they want it or would get it themselves, but because some requirement forces them to. Buying insurance is like enforced gambling, you are forced to pay to gamble that your house will burn down or you will crash your car. Insurance companies who set the prices and hence the profit are gambling you won't have an issue and have weighted the payoff accordingly. If you ever take advantage of that insurance, you are pretty much guaranteed to see an increase in your rates at some future point for taking advantage. Of course you are also quite likely to get an increase when Dean's house gets whacked by a hurricane as well. Insurance on cars and houses is not an optimal example. Maybe one that is closer would be the optional insurance you can get for car malfunctions or electronics or even MS Software... AKA service contracts. Mr. Jones you should protect this TV because it could possibly fail in the next year and you don't want that expense Mr. Jones, you should protect this MS environment because you may have something fail in the next year and you don't want that expense. Of course, the first thing people start to wonder
RE: [ActiveDir] AD DR - replication lag site----Why?
oh, gee, I'm too late - but I had a great weekend ;-)) I'd have to say (and all the posts show themselves) that there is no single right or wrong answers to lag sites. It's one building block to mastering AD DR and may very well apply more for larger companies than for smaller ones (it's tougher to restore a multi-gig DB than it is to restore a few hundred megs, prior to perform an auth. restore). I've been using and implementing them successfully but am not recommending them for everyone. And we're also using them at HP and have been quite happy with them (you do recover stuff easily, which you would otherwise simply not bother to recover...) And I also like how other 3rd party tools handle recovery - but those are also not applicable for all customers. Great thread - it's a good overview about the vast range of differnt oppinions on such a fairly exotic topic. Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Montag, 23. Mai 2005 13:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD DR - replication lag siteWhy? haha, ok so you MVPs also have these special powers. Very good thread and thanks to all. This is a subject I didn't know much about until this thread came along. Thanks to Todd, Joe, Jorge and everyone else that contributed. On 5/23/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote: Using the powers of the MVP, I now officially pronounce this thread as complete :) Todd -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 4:12 PM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? (1) In the Netherlands when you own a car and you drive with it, by law you at least must have a basic insurance that covers liability. This simply means that when you cause damage with your car the other party gets paid to repair their damage. You, however, have to pay for your own damage. This is for those cases when most people cannot affort such high costs. This also applies to situations in IT. You'll always have to answer: how much can you affort when this or that occurs? What I'm trying to say here is: you implement a certain solution to accomodate those situations (in solving) when errors have been made by persons. People simply make mistakes and I agree it is better to prevent errors against repairing them. But again it is not always possible, because it costs too much money, or they simply don't care or they are not aware of the damage that can come from it, etc.. How many times have you heard it will not happen to me, only to others There are also a lot of people that only understand (or get interested in) what you are trying to say/explain when they are in deep sh*t. But then... it's too late and much more expensive solutions/activities must be used if sometimes a solution exists for the occasion. It is always the choice between: trying to save money now and spend a crap load later each time it happens or spend a little bit of money now and spend less money later. I believe in spending money now to save later (long-term thought). A lot of managers only think about spending as little money as possible. Eventual problems in the future are not problems at the moment (short term thought) (2) When I say rollback, there is nothing left of the forest to get a USN rollback and no worries of TLS. I understand that an old state of the virtual environment is only used when ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some of the activities mentioned in the MS DR WP are done like resetting all kinds of accounts/trusts) When I think about it now, you are right, I made a mistake, sorry for that. Yes, when giving life to virtual DCs that belong to the same old state of the virtual environment all those virtual DCs know about the state of the other DCs in the virtual environment. I do believe this solution provides a very fast recovery of the first DCs in the forest to be rebuild. With this solution and using the native way (restoring a backup) when the tombstone lifetime has passed (the virtual environment state of the backups used) you will experience event 2042 on all DCs (Event ID 2042: It has been too long since this machine replicated) After bringing the initial environment up you need to execute the steps as mentioned in the MS DR white paper. You especially need to think if everything really is down or the corrupt forest is still up to provide functionalities for the users while restoring a new forest in parallel. And yes, there are a lot of decisions to be made and each IS different for each company Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 7:05 PM Subject: RE: [ActiveDir] AD DR
RE: [ActiveDir] AD DR - replication lag site----Why?
Guido, You had to go have a great weekend AND then have to post after the thread has been declared complete. 2 infractions!. Your Dining Services MVP status is now officially suspended - by the special power invested in Todd :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Mon 5/23/2005 10:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? oh, gee, I'm too late - but I had a great weekend ;-)) I'd have to say (and all the posts show themselves) that there is no single right or wrong answers to lag sites. It's one building block to mastering AD DR and may very well apply more for larger companies than for smaller ones (it's tougher to restore a multi-gig DB than it is to restore a few hundred megs, prior to perform an auth. restore). I've been using and implementing them successfully but am not recommending them for everyone. And we're also using them at HP and have been quite happy with them (you do recover stuff easily, which you would otherwise simply not bother to recover...) And I also like how other 3rd party tools handle recovery - but those are also not applicable for all customers. Great thread - it's a good overview about the vast range of differnt oppinions on such a fairly exotic topic. Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Montag, 23. Mai 2005 13:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD DR - replication lag siteWhy? haha, ok so you MVPs also have these special powers. Very good thread and thanks to all. This is a subject I didn't know much about until this thread came along. Thanks to Todd, Joe, Jorge and everyone else that contributed. On 5/23/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote: Using the powers of the MVP, I now officially pronounce this thread as complete :) Todd -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Sunday, May 22, 2005 4:12 PM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? (1) In the Netherlands when you own a car and you drive with it, by law you at least must have a basic insurance that covers liability. This simply means that when you cause damage with your car the other party gets paid to repair their damage. You, however, have to pay for your own damage. This is for those cases when most people cannot affort such high costs. This also applies to situations in IT. You'll always have to answer: how much can you affort when this or that occurs? What I'm trying to say here is: you implement a certain solution to accomodate those situations (in solving) when errors have been made by persons. People simply make mistakes and I agree it is better to prevent errors against repairing them. But again it is not always possible, because it costs too much money, or they simply don't care or they are not aware of the damage that can come from it, etc.. How many times have you heard it will not happen to me, only to others There are also a lot of people that only understand (or get interested in) what you are trying to say/explain when they are in deep sh*t. But then... it's too late and much more expensive solutions/activities must be used if sometimes a solution exists for the occasion. It is always the choice between: trying to save money now and spend a crap load later each time it happens or spend a little bit of money now and spend less money later. I believe in spending money now to save later (long-term thought). A lot of managers only think about spending as little money as possible. Eventual problems in the future are not problems at the moment (short term thought) (2) When I say rollback, there is nothing left of the forest to get a USN rollback and no worries of TLS. I understand that an old state of the virtual environment is only used when ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some of the activities mentioned in the MS DR WP are done like resetting all kinds of accounts/trusts) When I think about it now, you are right, I made a mistake, sorry for that. Yes, when giving life to virtual DCs that belong to the same old state of the virtual environment all those virtual DCs know about the state of the other DCs in the virtual environment. I do believe this solution provides a very fast recovery of the first DCs in the forest to be rebuild. With this solution and using the native way (restoring a backup) when the tombstone lifetime has passed (the virtual environment state of the backups used) you
RE: [ActiveDir] AD DR - replication lag site----Why?
Hi, In my opinion the following recovery situations exist when it comes to AD: (1) Accidental object deletions (2) Your forest/domain drops dead (3) A DC drops dead (1) Accidental object deletions I agree with Joe that people should only have those permissions needed to do their work and this should be configured accordingly. I also agree that not too many people should have domain/enterprise admin permissions. However in the real world this is not always possible because of lot of reasons (history , politics, etc.) Organizations are not 100% perfect, that's a fact also. Looking at the future and preparing for the worst, solutions are implemented to mitigate those risks. Costs are made in advance to save time and money in the future. It's somehow like an insurance policy. When something goes wrong I have something to fall back on. I assume almost everyone has an insurance policy for their house if it burns down. How many times will you use that insurance policy in your lifetime? Never if you're lucky... once if you're in bad luck... twice if you're in really bad luck! In the case of accidental objects deletions customers need/want a solution! What is that solution? Is it a lag site, is it a tool like Quest Recovery Manager, is it a tool like Guido's tool, is it something else I/we still don't know about? It all depends on the functionality needed by the customer and the cost to implement and maintain the tool/solution. In my opinion a LAG is one of those solutions for accidental object deletions, as always and only when implemented correctly. Joe (and others), you don't recommend setting up lag sites as there could be a better answer. What is that better answer in your opinion? What would you do if a customer said to you: I want to have ADMIN rights and I want to be able to delete objects in my forest/domain and I want you to provide a solution for me if I delete the wrong objects (The answer: take away admin rights is not an option ;-)) ) What is your solution for accidental object deletions? That is what I'm interested in. In the end there is a big difference between being right and getting it! (2) Your forest drops dead I don't think LAG sites are a solution when your forest drops dead, especially in a large environment. What's the primary goal to acchieve when your forest drops dead (and what's the second?)? (please give me answers..) When the forest drops dead, nobody can do anything anymore. In my opinion the first goal to acchieve is to get everything up and running as fast as possible and provide for the max. of functionality as possible to the end users. In my opinion the second goal is to repair the health of the forest and if it is really screwed rebuild it. So for this you need a procedure that accomodates those situations. I always hear everyone talk about a forest recovery as in rebuilding the forest from scratch. Rebuilding a forest because it dropped dead should be (again in my opinion) the last step ever taken because this means you're going back in time and therefore you will loose info. I believe that there exists more between a healthy forest and a forest that needs to be rebuild. Do you guys agree? As for the virtualized environment that can be rolled back to any point in time I think that can be part of a solution to start rebuilding a forest. However I do think you have to be carefull with this because of USN rollback, tombstone lifetime and replication and maybe some other stuff as the DCs are (I think) not recovered using the native MS way. At DEC I heart Dean and Joe and some other guys talk about this method. Unfortunately I did not hear the complete story behind this and to be honest I have not put any time to it to think about it and how it may work as a quick start for a forest rebuild (3) A DC drops dead We all know this one. Restore the DC from a backup or do a metadata cleanup and rebuild the DC from scratch Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 1:15 AM Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Reread it Deji, I really am not agreeing with it. I noted that it might be something that could be used for whole forest corruption but I would way prefer a virtualized environment that can be rolled back to any point in time over a site lagging behind the main AD in *hopes* that it didn't get poisoned. To make it more obvious I guess, I don't recommend lag sites. However, I don't recommend people tear them down if they have them. Mostly I don't recommend setting them up in the first place unless they are fully aware of why they are doing it and why they think there is no better answer. Technology doesn't often successfully make up for bad policy. What I recommend is that they batton down the hatches even if they think they can't because it is has always been this way or because some Exec who needs to be taught better thinks L1 Help Desk should be able to delete things
RE: [ActiveDir] AD DR - replication lag site----Why?
I think Jorge summarized the issue quite well, and pointed out some important considerations. I hope MS is paying attention to this thread b/c there are some customer needs here that would be (I think) easy to address in future releases. 1) I do know that there are some VERY large companies who are using or are just about to start using lag sites. They seem to them to be enough of a viable option that they're becoming more popular. Hopefully MS *will* come through with guidance so that lag sites can be a supported option for recovery from accidental object deletion. 2) Virtualization rollback is a very sketchy option b/c of USN rollback as you mentioned. 3) ADRestore from SYSINTERNALS (or following the billion-step LDP.exe process in the MSKB) is fine for recovery of deleted objects. Yes, the properties are gone. Most of my clients do NOT use AD as the 'authoritative' company DB anyway -- they populate AD from an HR DB -- so that is not the end of the world. 4) Of course the worst deletion is a group object. W2K3's new auth restore LDIF file is super cool. Another client has a script that runs every night logging group memberships (for auditing and reporting) that will also be used for recovery of group objects using ADRestore, now. 5) rant PLEASE, MS, MAKE IT POSSIBLE TO DELEGATE MOVING OBJECTS WITHOUT REQUIRING DELETE PERMISSION. In my experience, the need to move users and groups is the top driver for the need to delegate DELETE. Most of my clients have pretty slick 'provisioning' for retiring then deleting users groups, but they need to MOVE objects every day. It really sucks that this task can't be separated from DELETE. Until then, it's pretty darned tough to fully delegate away the risk of object deletion. /rant Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 22, 2005 5:41 AM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Hi, In my opinion the following recovery situations exist when it comes to AD: (1) Accidental object deletions (2) Your forest/domain drops dead (3) A DC drops dead (1) Accidental object deletions I agree with Joe that people should only have those permissions needed to do their work and this should be configured accordingly. I also agree that not too many people should have domain/enterprise admin permissions. However in the real world this is not always possible because of lot of reasons (history , politics, etc.) Organizations are not 100% perfect, that's a fact also. Looking at the future and preparing for the worst, solutions are implemented to mitigate those risks. Costs are made in advance to save time and money in the future. It's somehow like an insurance policy. When something goes wrong I have something to fall back on. I assume almost everyone has an insurance policy for their house if it burns down. How many times will you use that insurance policy in your lifetime? Never if you're lucky... once if you're in bad luck... twice if you're in really bad luck! In the case of accidental objects deletions customers need/want a solution! What is that solution? Is it a lag site, is it a tool like Quest Recovery Manager, is it a tool like Guido's tool, is it something else I/we still don't know about? It all depends on the functionality needed by the customer and the cost to implement and maintain the tool/solution. In my opinion a LAG is one of those solutions for accidental object deletions, as always and only when implemented correctly. Joe (and others), you don't recommend setting up lag sites as there could be a better answer. What is that better answer in your opinion? What would you do if a customer said to you: I want to have ADMIN rights and I want to be able to delete objects in my forest/domain and I want you to provide a solution for me if I delete the wrong objects (The answer: take away admin rights is not an option ;-)) ) What is your solution for accidental object deletions? That is what I'm interested in. In the end there is a big difference between being right and getting it! (2) Your forest drops dead I don't think LAG sites are a solution when your forest drops dead, especially in a large environment. What's the primary goal to acchieve when your forest drops dead (and what's the second?)? (please give me answers..) When the forest drops dead, nobody can do anything anymore. In my opinion the first goal to acchieve is to get everything up and running as fast as possible and provide for the max. of functionality as possible to the end users. In my opinion the second goal is to repair the health of the forest and if it is really screwed rebuild it. So for this you need a procedure that accomodates those situations. I always hear everyone talk about a forest recovery as in rebuilding the forest from scratch. Rebuilding a forest because it dropped
RE: [ActiveDir] AD DR - replication lag site----Why?
1. I expect so. I also know of very large companies who have looked at and rejected the idea. It comes down to the admins at the company and what guidance they have received. I don't think there is anything saying the mechanism isn't supported. In fact we have had at least one person on the list say that MS PSS blessed their specific implementation in a supportability review. I am sure there are others who have gone through similar actions. 2. If this is done to bring back specific DCs in a forest instead of an entire forest. I agree. In that case it isn't a viable option. I would smack anyone thinking about doing it. 3. Admod works well for this as well. Note that what gets saved in the tombstone process can to a great extend be controlled. Unless you are adding and deleting objects like crazy, I highly recommend looking into x08. 4. Yes, this is easily covered though by setting up an AD/AM or even flat files with the info. 5. I would have to say I agree with this one in terms of allowing delegation of move without delegating create/delete. However it is possible to work around it as well now too. Don't let people move objects, proxy it through some tool. Basic web sites to do this stuff aren't terribly difficult to put together. It is difficult to put together a completely generic cover any situation web site or tool but I don't know many companies that need that tool. Vendors build tools like that so they are useable for many companies and hence make more money. The benefits of doing this through proxy are the same for doing anything through proxy. Business rules and logging. Things get done properly and you know who did it and when. Of course AD Auditing is an answer but who here doesn't think AD Auditing is rather fat and not optimal for doing its stated purpose? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Sunday, May 22, 2005 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I think Jorge summarized the issue quite well, and pointed out some important considerations. I hope MS is paying attention to this thread b/c there are some customer needs here that would be (I think) easy to address in future releases. 1) I do know that there are some VERY large companies who are using or are just about to start using lag sites. They seem to them to be enough of a viable option that hey're becoming more popular. Hopefully MS *will* come through with guidance so that lag sites can be a supported option for recovery from accidental object deletion. 2) Virtualization rollback is a very sketchy option b/c of USN rollback as you mentioned. 3) ADRestore from SYSINTERNALS (or following the billion-step LDP.exe process in the MSKB) is fine for recovery of deleted objects. Yes, the properties are gone. Most of my clients do NOT use AD as the 'authoritative' company DB anyway -- they populate AD from an HR DB -- so that is not the end of the world. 4) Of course the worst deletion is a group object. W2K3's new auth restore LDIF file is super cool. Another client has a script that runs every night logging group memberships (for auditing and reporting) that will also be used for recovery of group objects using ADRestore, now. 5) rant PLEASE, MS, MAKE IT POSSIBLE TO DELEGATE MOVING OBJECTS WITHOUT REQUIRING DELETE PERMISSION. In my experience, the need to move users and groups is the top driver for the need to delegate DELETE. Most of my clients have pretty slick 'provisioning' for retiring then deleting users groups, but they need to MOVE objects every day. It really sucks that this task can't be separated from DELETE. Until then, it's pretty darned tough to fully delegate away the risk of object deletion. /rant Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Sunday, May 22, 2005 5:41 AM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Hi, In my opinion the following recovery situations exist when it comes to AD: (1) Accidental object deletions (2) Your forest/domain drops dead (3) A DC drops dead (1) Accidental object deletions I agree with Joe that people should only have those permissions needed to do their work and this should be configured accordingly. I also agree that not too many people should have domain/enterprise admin permissions. However in the real world this is not always possible because of lot of reasons (history , politics, etc.) Organizations are not 100% perfect, that's a fact also. Looking at the future and preparing for the worst, solutions are implemented to mitigate those risks. Costs are made in advance to save time and money in the future. It's somehow like an insurance policy. When something goes wrong I have something to fall back on. I assume almost everyone has an insurance policy
RE: [ActiveDir] AD DR - replication lag site----Why?
(1) In the Netherlands when you own a car and you drive with it, by law you at least must have a basic insurance that covers liability. This simply means that when you cause damage with your car the other party gets paid to repair their damage. You, however, have to pay for your own damage. This is for those cases when most people cannot affort such high costs. This also applies to situations in IT. You'll always have to answer: how much can you affort when this or that occurs? What I'm trying to say here is: you implement a certain solution to accomodate those situations (in solving) when errors have been made by persons. People simply make mistakes and I agree it is better to prevent errors against repairing them. But again it is not always possible, because it costs too much money, or they simply don't care or they are not aware of the damage that can come from it, etc.. How many times have you heard it will not happen to me, only to others There are also a lot of people that only understand (or get interested in) what you are trying to say/explain when they are in deep sh*t. But then... it's too late and much more expensive solutions/activities must be used if sometimes a solution exists for the occasion. It is always the choice between: trying to save money now and spend a crap load later each time it happens or spend a little bit of money now and spend less money later. I believe in spending money now to save later (long-term thought). A lot of managers only think about spending as little money as possible. Eventual problems in the future are not problems at the moment (short term thought) (2) When I say rollback, there is nothing left of the forest to get a USN rollback and no worries of TLS. I understand that an old state of the virtual environment is only used when ALL other DCs are down, gone, bye bye, etc. (or at least isolated and some of the activities mentioned in the MS DR WP are done like resetting all kinds of accounts/trusts) When I think about it now, you are right, I made a mistake, sorry for that. Yes, when giving life to virtual DCs that belong to the same old state of the virtual environment all those virtual DCs know about the state of the other DCs in the virtual environment. I do believe this solution provides a very fast recovery of the first DCs in the forest to be rebuild. With this solution and using the native way (restoring a backup) when the tombstone lifetime has passed (the virtual environment state of the backups used) you will experience event 2042 on all DCs (Event ID 2042: It has been too long since this machine replicated) After bringing the initial environment up you need to execute the steps as mentioned in the MS DR white paper. You especially need to think if everything really is down or the corrupt forest is still up to provide functionalities for the users while restoring a new forest in parallel. And yes, there are a lot of decisions to be made and each IS different for each company Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 5/22/2005 7:05 PM Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? 1. I assume almost everyone has an insurance policy for their house if it burns down. In the US, you can't get a mortgage unless you get insurance. Ditto cars, loans require full coverage and local law enforcement requires some minimal level of insurance, you have no choice in the matter. A lot of people buy insurance not because they want it or would get it themselves, but because some requirement forces them to. Buying insurance is like enforced gambling, you are forced to pay to gamble that your house will burn down or you will crash your car. Insurance companies who set the prices and hence the profit are gambling you won't have an issue and have weighted the payoff accordingly. If you ever take advantage of that insurance, you are pretty much guaranteed to see an increase in your rates at some future point for taking advantage. Of course you are also quite likely to get an increase when Dean's house gets whacked by a hurricane as well. Insurance on cars and houses is not an optimal example. Maybe one that is closer would be the optional insurance you can get for car malfunctions or electronics or even MS Software... AKA service contracts. Mr. Jones you should protect this TV because it could possibly fail in the next year and you don't want that expense Mr. Jones, you should protect this MS environment because you may have something fail in the next year and you don't want that expense. Of course, the first thing people start to wonder at that point when hearing those pitches is why are there warranties at all... Again, it is gambling, only, unlike the insurance stuff mentioned above, you have a realistic choice with several options. What is that better answer in your opinion? The better answer is to understand why this needs to be done and explain how you can get
RE: [ActiveDir] AD DR - replication lag site----Why?
Joe, you pretty much agreed with the lag site proposition towards the end of your piece. Whether you virtualize it, put it is a different physical location or just put it on a piece of hardware sitting in the same server room and configured with a different replication schedule, it all comes down to the same necessity of having a pristine DC that has not received your deletion and from which you can repopulate your F'ed up AD. I know that you think deletion should not happen, but I have seen a few, so they do happen in reality. We've been over the discussion of the politics behind rights and permissions in many organizations and how they are what they are because we can't control them. So, bad things happens. If you are rolling in surplus money, you get a tool. If you are cash-strapped or like to roll your own, you get a qtine (lag) site. I do not think one is better than the other. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 5/20/2005 10:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I would tend to agree with what David is saying from what I have seen of lag sites as well. Not many people, relatively, doing it, those that are are likely to be doing it in a rough shod way. I am not a huge fan of lag sites. I think they are ok, but for instance didn't think they deserved 3 or 4 different speakers talking about it at the DEC in DC a couple of years ago. I am far more interested in taking away the rights from people to do the stupid deletions in the first place like was mentioned previously. Seriously, I have done 0, count them, 0 restores of objects in production and have been involved in some rather seriously sized implementations, 5 years of lead AD tech for a Fortune 5 directory. The lax decision of accidental deletions happen is not a mentality I am like to subscribe to. If someone deleted something, my feeling is, they knew what they were doing and they were adequately aware of what they did. First off, don't delete right off. Disable, rename, and move. Second off, don't do admin through the GUI, too easy to click on an OU when deleting than a single user. Third off, don't let people have the power to delete things. Let them request deletes of automated systems that are designed to follow good rules so appear to be smarter than the admins. There were mentions of supportability, etc. I would not be surprised to hear MS say this is supported. Honestly, it isn't that whacky from a technical standpoint. However, if someone has gone the supportability review process I *HIGHLY* recommend they keep any and all docs with the names of the MS people involved locked up and saved. I have had it occur more than once over the years where I was told something was supported and fine and then several years later have them looking at me saying they would never have approved this or that. Some of the times I didn't have docs and was screwed as MS I have found is fond of saying we don't have any documentation of that being said or being done, other times I had docs and then I see PSS trying to find reasons why they missed the issue or something else in the doc not being followed that they try to imply makes the whole thing moot. Unfortunately PSS will declare a lot of things as unsupportable even if they have no good answer themselves, for instance, scripted GPO deployment pre-GPMC. There were several years there that people were forced to come up with their own mechanisms for scripted GPO deployment before GPMC was released because the normal GUI just wouldn't cut it, they are all unsupported by MS. Unfortunately companies won't tend to find out until they contact MS about it or PSS stumbles upon it. Back to lag sites, you, of course, have the possibilities of directory corruption, etc where you lose the entire directory in one fell swoop. A lag site could be used here but an auth restore is probably not going to be what you need to save you, you need to rebuild everything. Personally over a lag site I would use a site with a bunch of virtual DCs that you are taking down together and backing up the disk images of and then if you need to roll back, you pick the day or 4,6,8,12 hour period and roll back to it once everything else has been taken offline and you build the rest of your environment back out from this seed environment. This gives you the additional benefit of having an environment you can take into a segregated lab and test stuff any time you need to. It just needs to be done right or you will have Brett snickering at you. As I mentioned in an earlier post, if you are afraid of deleted objects, I would recommend judicious use of searchflags0x08 and admod with the -undel option
RE: [ActiveDir] AD DR - replication lag site----Why?
I read Joe's comments as not creating a lag site per-se, but using virtual DC's which are periodically saved (I'll refrain from saying backed up since it's not a backup, as was recently discussed) in order to perform a Forest-wide recovery. I don't think he was referring to recovery of a few deleted objects. Joe, you pretty much agreed with the lag site proposition towards the end of your piece. Whether you virtualize it, put it is a different physical location or just put it on a piece of hardware sitting in the same server room and configured with a different replication schedule, it all comes down to the same necessity of having a pristine DC that has not received your deletion and from which you can repopulate your F'ed up AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site----Why?
It was brought to my attention that I came off a bit strong (and that might be mild...) in this message to Todd. I've sent him a personal note of apology, and I don't believe in tearing someone up in public and then apologize in private. Todd - I'm sorry for the way that I worded this message. We have our own ways of doing things, and that's what makes life interesting. And, there are a 100 ways of doing something, and I'm glad that we have the ability to discuss these ways here, and debate them. Sometimes with me, however, personal bias goes a bit too far. So, please accept my apologies. I'm sorry for the 'tone' of my message. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, May 20, 2005 3:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Todd, With all due respect, I think there are more people doing this than you think. You aren't using a Lag Site, so it's 'whacky'. Your opinion, so you're entitled to it. PSS blessed our implementation, BTW. If you'd like, I'll be happy to provide you with contacts for the ROSS tech (out of Los Colinas) that did our recent AD Health check in advance of our Win2k3/E2k3 upgrade. He stated that this was becoming a cheap, scalable solution to providing DR - and a few large organizations were using them at warm/hot sites because they also meet criteria for DR as addressed and required for Sarbanes. And, I don't question the fact that a poor site design can cause problems. But, humbly, I submit that I know what I'm doing. Learn from what I do - or learn not. That's up to you. I know that you have a liking for Quest - which is fine. I use some of their tools - just not Recovery Manager. However, in a DR situation when your DCs are being rebuilt from scratch - Recovery Manager is not a very valuable tool when there are no objects to 'undelete'. As for Guido - I hope he chimes in as well. He seems to be one of the few that you trust - regardless of those that have supported you in the past. Hopefully then - we can put this behind us. Me, I'll keep doing what has been successful for me for two years, thank you. -rtk _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd _ From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we
RE: [ActiveDir] AD DR - replication lag site----Why?
Title: RE: [ActiveDir] AD DR - replication lag siteWhy? Thanks Rick, I didn't think it to strong. And took no offense. As most of you know, I am a buy guy. When I reviewed AD back when, I new that we were in trouble if we had any accidents with administration. We allow for delegated administration with-in our AD design, so the only way to protect the directory and have a way to rapidly recover the object was to use a solution like Quest Recovery Manager. We have had quite a number of restores to fix issues. Could manage doing a recovery site to recovery an OU deletion, or Going to Exchange 200x we knew the idea of having a recovery forest was not going to work in our operation... think of the number of production servers you have to patch. So we evaluated solutions that allowed object level restores on mailboxes as well. When it comes to operations, I want fast and easily reproducable results. That means object restores and mailbox restores should take less than an hour. My old operations would take 8 hours to do a simple mailbox restore. And we have had situations with mis-configured ADC's killing objects in AD. So I am a big fan of technology that allows for rapid restore of information. I think it is a sin that MS doesn't incorporate this with their AD and Exchange products. You can get into a lot of trouble if you don't have these types of tool if you aren't experienced IMHO. Todd -Original Message- From: Rick Kingslan To: ActiveDir@mail.activedir.org Sent: 5/21/2005 12:17 PM Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? It was brought to my attention that I came off a bit strong (and that might be mild...) in this message to Todd. I've sent him a personal note of apology, and I don't believe in tearing someone up in public and then apologize in private. Todd - I'm sorry for the way that I worded this message. We have our own ways of doing things, and that's what makes life interesting. And, there are a 100 ways of doing something, and I'm glad that we have the ability to discuss these ways here, and debate them. Sometimes with me, however, personal bias goes a bit too far. So, please accept my apologies. I'm sorry for the 'tone' of my message. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Kingslan Sent: Friday, May 20, 2005 3:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Todd, With all due respect, I think there are more people doing this than you think. You aren't using a Lag Site, so it's 'whacky'. Your opinion, so you're entitled to it. PSS blessed our implementation, BTW. If you'd like, I'll be happy to provide you with contacts for the ROSS tech (out of Los Colinas) that did our recent AD Health check in advance of our Win2k3/E2k3 upgrade. He stated that this was becoming a cheap, scalable solution to providing DR - and a few large organizations were using them at warm/hot sites because they also meet criteria for DR as addressed and required for Sarbanes. And, I don't question the fact that a poor site design can cause problems. But, humbly, I submit that I know what I'm doing. Learn from what I do - or learn not. That's up to you. I know that you have a liking for Quest - which is fine. I use some of their tools - just not Recovery Manager. However, in a DR situation when your DCs are being rebuilt from scratch - Recovery Manager is not a very valuable tool when there are no objects to 'undelete'. As for Guido - I hope he chimes in as well. He seems to be one of the few that you trust - regardless of those that have supported you in the past. Hopefully then - we can put this behind us. Me, I'll keep doing what has been successful for me for two years, thank you. -rtk _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd _ From: Dan Holme [mailto:[EMAIL PROTECTED]] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] AD DR - replication lag site----Why?
Instead of Lag Site, we do have a site and domain dedicated to Root operations. I think of this as the Quarterback strategy. Don't let it get sacked. We have two DC's dedicated to Root AD functions in their own namespace. The Enterpise functions are Schema extension, forest Security operations, and DR. Since AD's take their namespace from the root of the directory, it is important to be able to recover this domain. So our DR process allows us to do Bare metal restore if nessesary. I do think it could be improved by doing P to V backups of these servers as an alternative. Todd -Original Message- From: David Adner To: ActiveDir@mail.activedir.org Sent: 5/21/2005 5:08 AM Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I read Joe's comments as not creating a lag site per-se, but using virtual DC's which are periodically saved (I'll refrain from saying backed up since it's not a backup, as was recently discussed) in order to perform a Forest-wide recovery. I don't think he was referring to recovery of a few deleted objects. Joe, you pretty much agreed with the lag site proposition towards the end of your piece. Whether you virtualize it, put it is a different physical location or just put it on a piece of hardware sitting in the same server room and configured with a different replication schedule, it all comes down to the same necessity of having a pristine DC that has not received your deletion and from which you can repopulate your F'ed up AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site----Why?
Reread it Deji, I really am not agreeing with it. I noted that it might be something that could be used for whole forest corruption but I would way prefer a virtualized environment that can be rolled back to any point in time over a site lagging behind the main AD in *hopes* that it didn't get poisoned. To make it more obvious I guess, I don't recommend lag sites. However, I don't recommend people tear them down if they have them. Mostly I don't recommend setting them up in the first place unless they are fully aware of why they are doing it and why they think there is no better answer. Technology doesn't often successfully make up for bad policy. What I recommend is that they batton down the hatches even if they think they can't because it is has always been this way or because some Exec who needs to be taught better thinks L1 Help Desk should be able to delete things in an unhindered unconfirmed way, etc. I recommend they use x08 and admod, I recommend they talk to Guido about a product he has put together to recover stuff which combines undelete with repopulate. Mostly I recommend not allowing accident prone folks to have the power to piss in your wheaties. I have never had a case where I didn't take away permissions for other people to do things and my life not get easier and the environment get more stable and secure. I don't know how many times I have heard, but I can't do my job without those god level rights and sure enough, without those god level rights, they can still do their job. The difficult here is convincing the right people that this is the right way to go and is often defeated when the people pushing for the lockdown can't argue the technical merits or can't come up with answers for questions on how to do the work in alternate ways. That is tough work, I know, I spent many hours working through those issues myself. More than once I took work home with me and cracked open MSDN trying to find a better safer way for a developer to do something. If I couldn't find an alternate method, I built some sort of delegation tool to do the work on their behalf or stepped up to the plate and said I would do that work when they requested it (and then worked like heck to find a better way). I much rather sign up for a lot of work than give out too much permissions even for a short period of time. Not giving rights is much easier than taking them back later. Back to lag sites, if someone has a lag site and they like it and find it useful, I am behind their use of it. Of course my question to them if I was payed to look at their environment and comment on that aspect of it is Why do you feel you need it?. Is this something you find yourself using a lot? Do you have any thoughts that possibly this is indicative of some other type of issue that could be prevented versus reacted to? The Microsoft world has yet to really learn from the mainframe world. Maybe because it is old, people think it isn't good. The mainframe model is quite locked down. You don't give a ton of people rights, people have what they need to do their exact job and even that goes through a ton of filters/processes/batch, rarely if ever does anyone get core level change access rights that isn't thrown through rules and logging. Why? Because it is bad to allow just any old changes. Nearly any change in the mainframe world is change controlled to within an inch of its life. I think this is good for MS tech as well. It will get there as we mature, we see it happening now. Having lots of people that can make changes ad hoc does not increase flexibility and mobility of a company, if anything, in my opionion, it makes support more costly for a company by making the environment more difficult to support and understand. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, May 21, 2005 3:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Joe, you pretty much agreed with the lag site proposition towards the end of your piece. Whether you virtualize it, put it is a different physical location or just put it on a piece of hardware sitting in the same server room and configured with a different replication schedule, it all comes down to the same necessity of having a pristine DC that has not received your deletion and from which you can repopulate your F'ed up AD. I know that you think deletion should not happen, but I have seen a few, so they do happen in reality. We've been over the discussion of the politics behind rights and permissions in many organizations and how they are what they are because we can't control them. So, bad things happens. If you are rolling in surplus money, you get a tool. If you are cash-strapped or like to roll your own, you get a qtine (lag) site. I do not think one is better than the other. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services
RE: [ActiveDir] AD DR - replication lag site----Why?
Correct. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Saturday, May 21, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I read Joe's comments as not creating a lag site per-se, but using virtual DC's which are periodically saved (I'll refrain from saying backed up since it's not a backup, as was recently discussed) in order to perform a Forest-wide recovery. I don't think he was referring to recovery of a few deleted objects. Joe, you pretty much agreed with the lag site proposition towards the end of your piece. Whether you virtualize it, put it is a different physical location or just put it on a piece of hardware sitting in the same server room and configured with a different replication schedule, it all comes down to the same necessity of having a pristine DC that has not received your deletion and from which you can repopulate your F'ed up AD. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site----Why?
You are correct there are free tools to do a restore of objects. There is one problem though with deleting and reanimating objects. When an object is deleted almost all info is stripped from it besides some important attributes (SID, GUID, etc) If you reanimate the object you'll get a stripped object and all other info (attributes) is NOT restored because it is not available anymore. That is where the third-party tools and the LAG site come in... Preserving a copy of the object and all of its info (attributes) Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, May 19, 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant. The trick is that SRV records are not registered. The A records still are, so DCs should be able to find each other and replicate successfully, but clients won't 'see' the DCs as a viable authentication option. I've not tried that approach but it sounded really good. 3) OK, three notes. LAG SITES can be done with DCs in a site with a long replication interval, or by changing the replication WINDOW (schedule). It's a good idea to have TWO lag sites on alternating frequencies, to avoid a situation where something awful happens just before a lag site happens to replicate. Someone detailed this earlier, and it's a good note! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir
RE: [ActiveDir] AD DR - replication lag site----Why not?
Disagree Rick, MS changed the verbiage in the Q article to say they would support it. I think it was when Stewart and I got into it a little here that caused them to rethink the Q article... but I don't want to take the credit. Todd _ From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not? Todd - I personally don't have a problem with Recovery Manager. That being said - Last I checked, Microsoft still didn't allow it as a SUPPORTABLE solution for the purpose under discussion. With our company being an Enterprise Agreement customer with a PSS agreement scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I can't allow anything into the environment that would put us at risk. Besides, being an EA customer has the benefit of the solution that I proposed being pretty low-cost, given the overall benefits. And, I don't find NTDSUTIL overly difficult or intensive to use. But, that's just me. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 8:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I
RE: [ActiveDir] AD DR - replication lag site----Why?
I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd _ From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant. The trick is that SRV records are not registered. The A records still are, so DCs should be able to find each other and replicate successfully, but clients won't 'see' the DCs as a viable authentication option. I've not tried that approach but it sounded really good. 3) OK, three notes. LAG SITES can be done with DCs in a site with a long replication interval, or by changing the replication WINDOW (schedule). It's a good idea to have TWO lag sites on alternating frequencies, to avoid a situation where something awful happens just before a lag site happens to replicate. Someone detailed this earlier, and it's a good note! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Thursday, May 19, 2005 4:20 AM
Re: [ActiveDir] AD DR - replication lag site----Why?
My 2 cents... Implementation of lag sites is a solution that was recommended to us by our MS Advisory Support Engineer. From what we have been told, MS is writing a whitepaper on implementing lag sites. Not sure when that would be officially released. Arden On 5/20/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote: I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd _ From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant. The trick is that SRV records are not registered. The A records still are, so DCs should be able to find each other and replicate successfully, but clients won't 'see' the DCs as a viable authentication option. I've not tried that approach but it sounded really good. 3) OK, three notes. LAG SITES can be done with DCs in a site with a long replication interval, or by changing the replication WINDOW (schedule). It's a good idea to have TWO lag sites on alternating frequencies, to avoid a situation where something awful happens just before a lag site happens to replicate. Someone detailed this earlier, and it's a good note! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think
RE: [ActiveDir] AD DR - replication lag site----Why not?
Well - then I guess that I don't have a problem with Recovery Manager anymore then. :o) (Cost, however might be an issue... Don't know - never priced it because of concern stated Now mitigated) But, I'm not likely to retire my Lag Site, nonetheless! Don't want to fix what's not broke, Todd. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:51 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not? Disagree Rick, MS changed the verbiage in the Q article to say they would support it. I think it was when Stewart and I got into it a little here that caused them to rethink the Q article... but I don't want to take the credit. Todd _ From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not? Todd - I personally don't have a problem with Recovery Manager. That being said - Last I checked, Microsoft still didn't allow it as a SUPPORTABLE solution for the purpose under discussion. With our company being an Enterprise Agreement customer with a PSS agreement scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I can't allow anything into the environment that would put us at risk. Besides, being an EA customer has the benefit of the solution that I proposed being pretty low-cost, given the overall benefits. And, I don't find NTDSUTIL overly difficult or intensive to use. But, that's just me. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 8:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery
RE: [ActiveDir] AD DR - replication lag site----Why?
Todd, With all due respect, I think there are more people doing this than you think. You aren't using a Lag Site, so it's 'whacky'. Your opinion, so you're entitled to it. PSS blessed our implementation, BTW. If you'd like, I'll be happy to provide you with contacts for the ROSS tech (out of Los Colinas) that did our recent AD Health check in advance of our Win2k3/E2k3 upgrade. He stated that this was becoming a cheap, scalable solution to providing DR - and a few large organizations were using them at warm/hot sites because they also meet criteria for DR as addressed and required for Sarbanes. And, I don't question the fact that a poor site design can cause problems. But, humbly, I submit that I know what I'm doing. Learn from what I do - or learn not. That's up to you. I know that you have a liking for Quest - which is fine. I use some of their tools - just not Recovery Manager. However, in a DR situation when your DCs are being rebuilt from scratch - Recovery Manager is not a very valuable tool when there are no objects to 'undelete'. As for Guido - I hope he chimes in as well. He seems to be one of the few that you trust - regardless of those that have supported you in the past. Hopefully then - we can put this behind us. Me, I'll keep doing what has been successful for me for two years, thank you. -rtk _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd _ From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant
RE: [ActiveDir] AD DR - replication lag site----Why?
Arden, Validation - I'm not the only one that MS is telling that 'whacky' things are a good thing. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of A P Sent: Friday, May 20, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD DR - replication lag siteWhy? My 2 cents... Implementation of lag sites is a solution that was recommended to us by our MS Advisory Support Engineer. From what we have been told, MS is writing a whitepaper on implementing lag sites. Not sure when that would be officially released. Arden On 5/20/05, Myrick, Todd (NIH/CC/DNA) [EMAIL PROTECTED] wrote: I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd _ From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant. The trick is that SRV records are not registered. The A records still are, so DCs should be able to find each other and replicate successfully, but clients won't 'see' the DCs as a viable authentication option. I've not tried that approach but it sounded really good. 3) OK, three notes. LAG SITES can be done with DCs in a site with a long replication interval, or by changing the replication WINDOW (schedule). It's a good idea to have TWO lag sites on alternating frequencies, to avoid a situation where something awful happens just before a lag site happens to replicate. Someone detailed this earlier, and it's a good note! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR
RE: [ActiveDir] AD DR - replication lag site----Why?
Using my non-scientific personal observations, of the last 50 or so customers I've been to I believe only 3 had lag sites. Of those 3, none had done what I'd call a good job of setting it up (they had basically just created a separate site with a longer replication interval). Of the other ~47, perhaps half knew of lag sites and were either interested in the concept or had plans to implement them. How many actually will I can't say. These are all Premier customers. So, based on my personal experience, I'm more inclined to agree with Todd. I think, however, that over the next couple years lag sites will become the norm as virtualization becomes commonplace and best practices are better documented and understood. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, May 20, 2005 15:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Todd, With all due respect, I think there are more people doing this than you think. You arent using a Lag Site, so its whacky. Your opinion, so youre entitled to it. PSS blessed our implementation, BTW. If youd like, Ill be happy to provide you with contacts for the ROSS tech (out of Los Colinas) that did our recent AD Health check in advance of our Win2k3/E2k3 upgrade. He stated that this was becoming a cheap, scalable solution to providing DR and a few large organizations were using them at warm/hot sites because they also meet criteria for DR as addressed and required for Sarbanes. And, I dont question the fact that a poor site design can cause problems. But, humbly, I submit that I know what Im doing. Learn from what I do or learn not. Thats up to you. I know that you have a liking for Quest which is fine. I use some of their tools just not Recovery Manager. However, in a DR situation when your DCs are being rebuilt from scratch Recovery Manager is not a very valuable tool when there are no objects to undelete. As for Guido I hope he chimes in as well. He seems to be one of the few that you trust regardless of those that have supported you in the past. Hopefully then we can put this behind us. Me, Ill keep doing what has been successful for me for two years, thank you. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? I disagree that Lag sites are popular, maybe with you and at AD conferences as a session. I tend to avoid those sessions. To all those considering this as a viable solution, why not run it by MSC or PSS and see what they say. We get something called a supportability review before we implement anything to whacky at my organization. There are so many things that can go wrong with a improper site design and object reanimation that I just say avoid doing it. I am waiting for Guido to chime in on this. Todd From: Dan Holme [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free
RE: [ActiveDir] AD DR - replication lag site----Why not?
Ummm ... U . Not sure what I'm allowed to say. Ok, I just had a long conversation with Stuart ... it'll take me awhile to write up something a little more accurate than the below. More to come ... Cheers, -BrettSh [msft] On Fri, 20 May 2005, Rick Kingslan wrote: Well - then I guess that I don't have a problem with Recovery Manager anymore then. :o) (Cost, however might be an issue... Don't know - never priced it because of concern stated Now mitigated) But, I'm not likely to retire my Lag Site, nonetheless! Don't want to fix what's not broke, Todd. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Friday, May 20, 2005 11:51 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not? Disagree Rick, MS changed the verbiage in the Q article to say they would support it. I think it was when Stewart and I got into it a little here that caused them to rethink the Q article... but I don't want to take the credit. Todd _ From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thu 5/19/2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy not? Todd - I personally don't have a problem with Recovery Manager. That being said - Last I checked, Microsoft still didn't allow it as a SUPPORTABLE solution for the purpose under discussion. With our company being an Enterprise Agreement customer with a PSS agreement scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I can't allow anything into the environment that would put us at risk. Besides, being an EA customer has the benefit of the solution that I proposed being pretty low-cost, given the overall benefits. And, I don't find NTDSUTIL overly difficult or intensive to use. But, that's just me. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 8:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site
RE: [ActiveDir] AD DR - replication lag site----Why?
This is pretty easily overcome. You simply modify the schema and tell it not to scrub all of the entries. This doesn't work for everything but can definitely get you close. Coupled with an AD/AM to maintain last known states and you can easily and freely recover your data. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, May 20, 2005 8:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? You are correct there are free tools to do a restore of objects. There is one problem though with deleting and reanimating objects. When an object is deleted almost all info is stripped from it besides some important attributes (SID, GUID, etc) If you reanimate the object you'll get a stripped object and all other info (attributes) is NOT restored because it is not available anymore. That is where the third-party tools and the LAG site come in... Preserving a copy of the object and all of its info (attributes) Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Thursday, May 19, 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant. The trick is that SRV records are not registered. The A records still are, so DCs should be able to find each other and replicate successfully, but clients won't 'see' the DCs as a viable authentication option. I've not tried that approach but it sounded really good. 3) OK, three notes. LAG SITES can be done with DCs in a site with a long replication interval, or by changing the replication WINDOW (schedule). It's a good idea to have TWO lag sites on alternating frequencies, to avoid a situation where something awful happens just before a lag site happens to replicate. Someone detailed this earlier, and it's a good note! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot
RE: [ActiveDir] AD DR - replication lag site----Why?
I would tend to agree with what David is saying from what I have seen of lag sites as well. Not many people, relatively, doing it, those that are are likely to be doing it in a rough shod way. I am not a huge fan of lag sites. I think they are ok, but for instance didn't think they deserved 3 or 4 different speakers talking about it at the DEC in DC a couple of years ago. I am far more interested in taking away the rights from people to do the stupid deletions in the first place like was mentioned previously. Seriously, I have done 0, count them, 0 restores of objects in production and have been involved in some rather seriously sized implementations, 5 years of lead AD tech for a Fortune 5 directory. The lax decision of accidental deletions happen is not a mentality I am like to subscribe to. If someone deleted something, my feeling is, they knew what they were doing and they were adequately aware of what they did. First off, don't delete right off. Disable, rename, and move. Second off, don't do admin through the GUI, too easy to click on an OU when deleting than a single user. Third off, don't let people have the power to delete things. Let them request deletes of automated systems that are designed to follow good rules so appear to be smarter than the admins. There were mentions of supportability, etc. I would not be surprised to hear MS say this is supported. Honestly, it isn't that whacky from a technical standpoint. However, if someone has gone the supportability review process I *HIGHLY* recommend they keep any and all docs with the names of the MS people involved locked up and saved. I have had it occur more than once over the years where I was told something was supported and fine and then several years later have them looking at me saying they would never have approved this or that. Some of the times I didn't have docs and was screwed as MS I have found is fond of saying we don't have any documentation of that being said or being done, other times I had docs and then I see PSS trying to find reasons why they missed the issue or something else in the doc not being followed that they try to imply makes the whole thing moot. Unfortunately PSS will declare a lot of things as unsupportable even if they have no good answer themselves, for instance, scripted GPO deployment pre-GPMC. There were several years there that people were forced to come up with their own mechanisms for scripted GPO deployment before GPMC was released because the normal GUI just wouldn't cut it, they are all unsupported by MS. Unfortunately companies won't tend to find out until they contact MS about it or PSS stumbles upon it. Back to lag sites, you, of course, have the possibilities of directory corruption, etc where you lose the entire directory in one fell swoop. A lag site could be used here but an auth restore is probably not going to be what you need to save you, you need to rebuild everything. Personally over a lag site I would use a site with a bunch of virtual DCs that you are taking down together and backing up the disk images of and then if you need to roll back, you pick the day or 4,6,8,12 hour period and roll back to it once everything else has been taken offline and you build the rest of your environment back out from this seed environment. This gives you the additional benefit of having an environment you can take into a segregated lab and test stuff any time you need to. It just needs to be done right or you will have Brett snickering at you. As I mentioned in an earlier post, if you are afraid of deleted objects, I would recommend judicious use of searchflags0x08 and admod with the -undel option. Couple that with a simple AD/AM directory that you don't let your loose cannon admins to have access to and you can pretty easily get things back. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, May 20, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Using my non-scientific personal observations, of the last 50 or so customers I've been to I believe only 3 had lag sites. Of those 3, none had done what I'd call a good job of setting it up (they had basically just created a separate site with a longer replication interval). Of the other ~47, perhaps half knew of lag sites and were either interested in the concept or had plans to implement them. How many actually will I can't say. These are all Premier customers. So, based on my personal experience, I'm more inclined to agree with Todd. I think, however, that over the next couple years lag sites will become the norm as virtualization becomes commonplace and best practices are better documented and understood. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, May 20, 2005 15:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD
RE: [ActiveDir] AD DR - replication lag site
Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Rick Kingslan Envoyé : mercredi 18 mai 2005 16:44 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site (Caveat - I didn't go read the article fairly certain what this is about) I've implemented something quite similar to this in my environment - except I did it quite a bit differently - and, I think that it's a very viable DR and near-line recovery solution. What we did in our Enterprise was to standup a VMWare server at our DR site (VERY well connected - it's a warm site) and created 8 DC instances with repl schedules from 30 minutes to 1 month. In the event that we have a BIG problem, or a small on (we had one of our remote site Admins delete his whole computers OU for his site) we are able to do an authoritative restore (or a non-auth, then auth, depending on circumstances) to correct a problem of this type. Me, personally - I sleep much better knowing that I have this system in place. It works for us, and we also used a similar process to protect us from major problems during our schema upgrades for Win2k3 and Exchange 2k3 (as well as Cisco Unity and CallManager). -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 8:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ BEGIN:VCARD VERSION:2.1 N:TIROA;YANN FN:TIROA YANN ORG:Université Claude Bernard Lyon I;Environnement Numérique de Travail TITLE:Assistant Ingénieur TEL;WORK;VOICE:04 26 23 44 25 ADR;WORK:;;;Villeurbanne Cedex;69;69622;FRANCE LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Villeurbanne Cedex, 69 69622=0D=0AFRANCE EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050517T124542Z END:VCARD
RE: [ActiveDir] AD DR - replication lag site
Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann BEGIN:VCARD VERSION:2.1 N:TIROA;YANN FN:TIROA YANN ORG:Université Claude Bernard Lyon I;Environnement Numérique de Travail TITLE:Assistant Ingénieur TEL;WORK;VOICE:04 26 23 44 25 ADR;WORK:;;;Villeurbanne Cedex;69;69622;FRANCE LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Villeurbanne Cedex, 69 69622=0D=0AFRANCE EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20050517T124542Z END:VCARD
RE: [ActiveDir] AD DR - replication lag site
The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] AD DR - replication lag site----Why?
Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error
RE: [ActiveDir] AD DR - replication lag site----Why?
Two more notes on this issue: 1) THIRD PARTY AD RESTORE TOOLS. Sounds like it's clear, now, WHY lag sites are so popular. Yes, there are third party products (particularly Quest Recovery Manager) that work quite well if you have a budget for that. Here's my take as to why my IT budget shouldn't be spent on those tools (and *should* be spent on OTHER tools by some of those same companies). a) Deleted objects can be avoided with proper delegation. It's so important that you properly delegate and properly use accounts with administrative logon (i.e. with 'secondary logon' only) that this trumps just about everything. At most of my clients, NOBODY (from a practical perspective) can delete users or groups. We have a process we call graveyarding, whereby an account is tagged (using a variety of methods) and, with a SCRIPT, moved to an OU where they stay for 90 days before being deleted (again, only by the SCRIPT). The only other accounts that can delete users and groups are the super-high admins (e.g. Domain Admins equivalents). This is only a piece of the picture, but it is an important piece. b) Deleted objects can be restored for FREE using ADRESTORE from Sysinternals. Granted, this tool brings back only the object (SID, GUID, DN, CN) but that's all that really matters, right? The best (FREE) approaches we take at clients include *regularly* logging group memberships in a custom database (to compare to last-knowns and watch for issues easily and free-ly). So when we restore a group we can repopulate membership quickly, anyway. So with good processes, it's FREE and easy to restore objects in most situations. c) Windows Server 2003 SP1 adds a feature that makes reanimating Groups MUCH easier when you have deleted groups users. No more auth restore two times necessary. (Haven't seen it? Do an auth restore on a group on an SP1 DC and find the LDIF file it creates!!) d) that leaves only really nasty deletions (e.g. an entire OU), which, given a b, will probably never happen. And when they do, an auth restore on a lag site takes a very short time. e) therefore, I save my IT budget and use the $ on tools to aid provisioning, auditing monitoring, again to avoid problems in the first place. 2) PREVENTING AUTHENTICATION ON LAG SITE. As I mentioned, the method I've heard of, and that we're testing, is to stop the NetLogon service on the lag DCs. There are several ways to avoid it restarting when/if the DC is rebooted. The article referenced in the ORIGINAL post suggested modifying which SRV records are registered. This should work, I'd guess, and is more elegant. The trick is that SRV records are not registered. The A records still are, so DCs should be able to find each other and replicate successfully, but clients won't 'see' the DCs as a viable authentication option. I've not tried that approach but it sounded really good. 3) OK, three notes. LAG SITES can be done with DCs in a site with a long replication interval, or by changing the replication WINDOW (schedule). It's a good idea to have TWO lag sites on alternating frequencies, to avoid a situation where something awful happens just before a lag site happens to replicate. Someone detailed this earlier, and it's a good note! Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 6:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive
RE: [ActiveDir] AD DR - replication lag site
For those of you that are a MOM environment and have created a lag site, how are you overcoming the replication latency messages? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 4:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
Yann, If you remember the situation that I proposed for you (it's working in my environment today, so I'm fairly certain of its viability) I use a VMWare server with multiple DC instances. Each instance is staggered for replication - from 30 minutes to 30 days. In the instance of a problem in which an object needs to be restored, an authoritative restore is done on the correct DC (based on when the deletion was noticed, and which lag site DC has the most current information) and the replication is forced. So, if I read your message correctly, I think that you've got the picture of what is going on here. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Thursday, May 19, 2005 2:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site----Why not?
Todd - I personally don't have a problem with Recovery Manager. That being said - Last I checked, Microsoft still didn't allow it as a SUPPORTABLE solution for the purpose under discussion. With our company being an Enterprise Agreement customer with a PSS agreement scaled to 'Get Ballmer out of bed - we've got a CritSit case! response, I can't allow anything into the environment that would put us at risk. Besides, being an EA customer has the benefit of the solution that I proposed being pretty low-cost, given the overall benefits. And, I don't find NTDSUTIL overly difficult or intensive to use. But, that's just me. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Thursday, May 19, 2005 8:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag siteWhy? Is it cheaper and more efficient to go the replication lag site route than buy a proper backup and object level restore solution? I mean not to toot a vendor's horn, but Quest recovery manager turns the process of restoring objects into a 15 minute click click operation. I would hate to think of the number of steps you all must do to reanimate the object in a directory using the Recovery Site. From a operations standpoint, there is no substitute for a proper backup solution and object level restore utility for AD. Thanks, Todd Myrick -Original Message- From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Thursday, May 19, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Neil, I now understand... I'm a new man by now thanks to the mysterious lag site that have been revealed to me :-)) Thanks a lot for your explanations. Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. Bât. Gabriel Lippmann - 2 ème étage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil Envoyé : jeudi 19 mai 2005 10:09 À : 'ActiveDir@mail.activedir.org' Objet : RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs
RE: [ActiveDir] AD DR - replication lag site
Marcus, I kill off the specific rules on those servers. If I'm not interested in a particular message, it's gone. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site For those of you that are a MOM environment and have created a lag site, how are you overcoming the replication latency messages? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 4:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
RE: [ActiveDir] AD DR - replication lag site
I guess I find my solution more elegant and cheaper to manage/maintain. I try to avoid implementing changes to one DC but not others. The TCO tends to go thru the roof :) DCs placed in a separate site and/or configured with different SRV weightings via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be added to that site (from other domains for example) with minimal effort and changes to docs/processes etc. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 19 May 2005 15:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
RE: [ActiveDir] AD DR - replication lag site
You're right - to each his own. I don't fully understand how disabling Netlogon on dedicated Lag Site servers is going to raise TCO. And, if the precedent is set that if a DC goes into the Lag Site that the Netlogon service is disabled - again, I don't really understand how that would add effort or complexity. SRV weighting via GPO. Huh. That's one I've not seen. Which policy element would allow that? And, make no mistake - the Lag Site procedure pretty much relies on the DR DCs being in a separate, and quite distinct, site with very different settings from what I would implement as 'Production-based' DCs. I guess that's one reason why I have them deployed to my warm site, rather than in the data center. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 11:01 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site I guess I find my solution more elegant and cheaper to manage/maintain. I try to avoid implementing changes to one DC but not others. The TCO tends to go thru the roof :) DCs placed in a separate site and/or configured with different SRV weightings via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be added to that site (from other domains for example) with minimal effort and changes to docs/processes etc. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 19 May 2005 15:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org
Re: [ActiveDir] AD DR - replication lag site
Not sure if this is what you need. In any case, the GPO setting related to disabling Generic SRV record registrations and SRV weighting can be found under the Computer Configuration Node of a GPO: Administrative Templates System Netlogon DC Locator DNS Records These settings are disccused in Chapter 4: Planning DNS of the Windows Server 2003 Active Directory Branch Office Deployment Guide. -Arden On 5/19/05, Rick Kingslan [EMAIL PROTECTED] wrote: You're right - to each his own. I don't fully understand how disabling Netlogon on dedicated Lag Site servers is going to raise TCO. And, if the precedent is set that if a DC goes into the Lag Site that the Netlogon service is disabled - again, I don't really understand how that would add effort or complexity. SRV weighting via GPO. Huh. That's one I've not seen. Which policy element would allow that? And, make no mistake - the Lag Site procedure pretty much relies on the DR DCs being in a separate, and quite distinct, site with very different settings from what I would implement as 'Production-based' DCs. I guess that's one reason why I have them deployed to my warm site, rather than in the data center. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 11:01 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site I guess I find my solution more elegant and cheaper to manage/maintain. I try to avoid implementing changes to one DC but not others. The TCO tends to go thru the roof :) DCs placed in a separate site and/or configured with different SRV weightings via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be added to that site (from other domains for example) with minimal effort and changes to docs/processes etc. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 19 May 2005 15:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message
RE: [ActiveDir] AD DR - replication lag site
Arden, Perfect! Thanks - I'll look it over. I guess with a 1000+ entries, if I don't know of a few, that means that track record is pretty good. Thanks for the point -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of A P Sent: Thursday, May 19, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD DR - replication lag site Not sure if this is what you need. In any case, the GPO setting related to disabling Generic SRV record registrations and SRV weighting can be found under the Computer Configuration Node of a GPO: Administrative Templates System Netlogon DC Locator DNS Records These settings are disccused in Chapter 4: Planning DNS of the Windows Server 2003 Active Directory Branch Office Deployment Guide. -Arden On 5/19/05, Rick Kingslan [EMAIL PROTECTED] wrote: You're right - to each his own. I don't fully understand how disabling Netlogon on dedicated Lag Site servers is going to raise TCO. And, if the precedent is set that if a DC goes into the Lag Site that the Netlogon service is disabled - again, I don't really understand how that would add effort or complexity. SRV weighting via GPO. Huh. That's one I've not seen. Which policy element would allow that? And, make no mistake - the Lag Site procedure pretty much relies on the DR DCs being in a separate, and quite distinct, site with very different settings from what I would implement as 'Production-based' DCs. I guess that's one reason why I have them deployed to my warm site, rather than in the data center. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 11:01 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site I guess I find my solution more elegant and cheaper to manage/maintain. I try to avoid implementing changes to one DC but not others. The TCO tends to go thru the roof :) DCs placed in a separate site and/or configured with different SRV weightings via GPO can/does work and is simpler to manage IMHO. Additional DCs can then be added to that site (from other domains for example) with minimal effort and changes to docs/processes etc. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: 19 May 2005 15:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Just two things... Disable Netlogon. If it's disabled as a policy or by going to services and changing the service properties, restarting on reboot won't be an issue. Disabled is disabled, regardless. As to DNS records, I suppose that if the Netlogon service is disabled (primary for registering the SRV records) one could remove the _kerberos records for the lag site servers. I can pretty much assure that without Kerberos records, the DCs will not be offered up as authN points. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 2:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site That solution is fine until the machine is rebooted and netlogon starts again :) Why not change the DNS SRV record priorities/weights? Or alternatively, place the DC in a separate site, which consists of just 1 subnet (i.e. the subnet where the DC itself lives). If DNS records are removed, then the DC will fail to authenticate and replicate with other DCs. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: 18 May 2005 23:12 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info
RE: [ActiveDir] AD DR - replication lag site
Killing off the rules stops those particular DCs from running the latency rules... but how do you overcome the latency rules from any DC not in a lag site with connection objects to DCs in the lag site? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, May 19, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Marcus, I kill off the specific rules on those servers. If I'm not interested in a particular message, it's gone. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site For those of you that are a MOM environment and have created a lag site, how are you overcoming the replication latency messages? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 4:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback. Have a nice day :-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any
RE: [ActiveDir] AD DR - replication lag site
Changing SRV weight is NOT ENOUGH because there is still a chance that they will be used for authentication (e.g. if higher weighted records don't respond to the LDAP bind by the client fast enough). You must either prevent the SRV records from registering (per the originally-cited article, which I have not tried) or stop NetLogon or both. All of these are minimal TCO impact because ALL can be done thru GPOs. (e.g. Services policy to set NetLogon to disabled). DDan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Killing off the rules stops those particular DCs from running the latency rules... but how do you overcome the latency rules from any DC not in a lag site with connection objects to DCs in the lag site? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, May 19, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Marcus, I kill off the specific rules on those servers. If I'm not interested in a particular message, it's gone. -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 19, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site For those of you that are a MOM environment and have created a lag site, how are you overcoming the replication latency messages? :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Thursday, May 19, 2005 4:09 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD DR - replication lag site If the deletion occurs on DC1, then a DC (DC2) in the lag site will not receive the deletion immediately. You therefore have a window of opportunity in which the deletion may be 'undone'. The deleted object may be auth restored on DC2 and thus replicated / reanimated on DC1 (and any other DC which has received the deletion). [My terminology may not be acceptable to some - I have deliberately explained this in simplistic terms :)] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: 19 May 2005 08:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, I must apologize, but i'm a little bit confused. You said With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Do you mean if i delete my OU in DC in site A, all i have to do is do an autoritative restore, not on site A, BUT on DC on lag site, reboot, and dforce replication to site A ? And the non-autoritative restore will be in fact the data on the lag site, that explain your prévious sentence ? Waou! That's very celver !! Am I right ? Regards, Yann -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme Envoyé : jeudi 19 mai 2005 08:51 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD DR - replication lag site The major issue is the SPEED of recovery. With a lag site, you ONLY have to do an authoritative restore (NTDSUTIL). Without a lag site, you must first restore the AD from backup tape ('normal' restore), which can take quite some time Then, and only then, can you do the auth restore. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, May 18, 2005 11:46 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DR - replication lag site Hello, Thanks for this interesting tips, but i didn't really understand the behind the techno of a lag site in case of just a deletion of an entire OU with many objects. For example,if I have AD 2003 domain with 2 sites: Site A has 2 DCs Site B has one DC and is the lag site Between 2 sites, i scheduled repl to appear every 1 week. In the situation of an OU deletion, i go to the DC i have made the deletion, and do an autoritative restore in dsmode and after rebbot, wait for replication to take place in order to repopulate all my domain with my OU restored. So what will the lag site help me in this situation ? I can understand that a lag site will help me if all my DCs in site A crashed. So i would take all informations from the lag site to be restored in site A such as copy my domain from the lag site by doing a dcpromo /adv, and go my freshly installed DCs on site A, and restored my whole domain. However, I think i will have more updated information by restoring from my yerterday backup than from the lag site... So, could you help me better understand the behind the techno of a lag site, i thing i misunderstand something important ;-( Thank you for your feedback
RE: [ActiveDir] AD DR - replication lag site
(Caveat - I didn't go read the article fairly certain what this is about) I've implemented something quite similar to this in my environment - except I did it quite a bit differently - and, I think that it's a very viable DR and near-line recovery solution. What we did in our Enterprise was to standup a VMWare server at our DR site (VERY well connected - it's a warm site) and created 8 DC instances with repl schedules from 30 minutes to 1 month. In the event that we have a BIG problem, or a small on (we had one of our remote site Admins delete his whole computers OU for his site) we are able to do an authoritative restore (or a non-auth, then auth, depending on circumstances) to correct a problem of this type. Me, personally - I sleep much better knowing that I have this system in place. It works for us, and we also used a similar process to protect us from major problems during our schema upgrades for Win2k3 and Exchange 2k3 (as well as Cisco Unity and CallManager). -rtk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 8:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD DR - replication lag site
I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD DR - replication lag site
We are implementing lag sites in our production AD environment. We used to have a lag site which we used to implement a schema change in a controlled environment but we recently tore it down. However, we will be recreating the lag site as this is an essential piece of our infrastructure. The single lag site is cost effective and you can set your max replication latency to 1 week, at most. With this design, changes that occur just prior to the replication schedule will get replicated to the lag site. This is one reason we are looking at implementing double lag sites in our environment. This will buy us a 2-week maximum delay replication. You will also need to change the following registry key and account for the lag site in your monitoring solution. HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Replicator latency error interval (hours) As for preventing offsite authentication, an alternative may be to disable registration of the generic SRV records for the target domain controllers. There are policy settings that are built-in to Windows 2003 that are discussed in detail in the DNS chapter of the Branch Office Deployment Guide for 2003. - Arden On 5/18/05, Dan Holme [EMAIL PROTECTED] wrote: I have several large clients who are going this direction and are in testing right now. Things look quite good. I had read somewhere that an alternative approach to preventing authentication to the 'lag' DCs was to stop the Netlogon service. The approach of removing DNS records seems more elegant, and I'll be interested to hear ppls thoughts on these alternatives. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, May 18, 2005 6:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DR - replication lag site I am interested in your thoughts regarding this suggestion for DR: http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.htm l (You may need to register) Basically it states that you should create another AD site and set the replication for 168 hours. Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/