Re: Disaster Recovery Scenario Help

From: "Jorge de Almeida Pinto" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Fri, 30 Dec 2005 18:16:16 +0100

the SID of the domain will be different because you install a new
DC/domain/forest. Although you will be able to recreate users, groups,
memberships etc. by importing lets say LDIF files, there is one problem
left.... permissions on objects...

Permissions on objects are controlled by an ACL with ACE. Each ACE is a SID
(not name as you might think!) with the configured permissions (read, write,
etc.)

recreating the domain and recreating all objects and repermission.... would
be MY LAST option I would think about as other options exist as I said
earlier

--
Cheers,
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
"JamFan" <JamFan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6710C173-DA13-41F1-8F76-8F0A8A4E6461@xxxxxxxxxxxxxxxx
> Thanks for the response.. you have confirmed many of my beliefs.. I have
> been
> leaning towards simply creating a new forest and starting fresh if it got
> this bad. As long as I have the data and layouts of all groups and
> memberships. I have just heard so many nightmares in regards to AD
> restore...
> Any thoughts on the pros and cons of both scenarios? I would make one of
> the
> offsite DR boxes a DC that I could replicate to but I worry about
> corupting
> the production environment. Exchange restoration will still be possible
> if I
> do create a new forest right?
>
> "Jorge de Almeida Pinto" wrote:
>
>> 1...If the AD domain is lost (no DCs available), then how are you going
>> to
>> promote the DR servers into DCs? You need to existing DCs to promote
>> additional DCs
>>
>> 2...fresh install and restoring current backups of DCs is an option
>>
>> 3...exchange depends on AD. So if AD is gone and exchange is up and
>> running,
>> it will shout like hell because AD is gone. In that case restoring DCs
>> (going back in time) can cause different issues like disconnected
>> mailboxes
>> (because mailboxes exist on the exchange server, but the corresponding
>> user
>> does not yet exist in AD)
>>
>> 4...yes
>>
>> you might wanna take a look at:
>> http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE
>>
>> --
>> Cheers,
>> # Jorge de Almeida Pinto #
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "JamFan" <JamFan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:51FCA600-62A4-4B59-A008-70585BA00BF9@xxxxxxxxxxxxxxxx
>> >I am creating a disaster recovery plan. The idea is that the building
>> >and
>> > network is a complete loss. I have 2 DR servers offsite. I just need
>> > some
>> > advice on a few AD related questions:
>> >
>> > 1. Are we better suited keeping the DR servers as standalone workgroup
>> > servers or is it better to make them member servers that can be
>> > upgraded
>> > to
>> > DC's with the domain SID?
>> >
>> > 2. Is such an upgrade possible or is an AD restore or fresh
>> > install the only options?
>> >
>> > 2. What are the exchange recovery ramifications to either scenario
>> > because
>> > I
>> > heard their are problems restoring exchange directly related to the
>> > domain
>> > SID?
>> >
>> > 3. Will the data on the backup tapes be accessible on the servers if
>> > they
>> > are not members of the domain?
>> >
>>
>>
>>

.

Follow-Ups:
- Re: Disaster Recovery Scenario Help
  - From: JamFan

References:
- Re: Disaster Recovery Scenario Help
  - From: Jorge de Almeida Pinto
- Re: Disaster Recovery Scenario Help
  - From: JamFan

Prev by Date: Re: Computer Account - Last Logged on User?
Next by Date: Re: Snapins & Domain Controllers
Previous by thread: Re: Disaster Recovery Scenario Help
Next by thread: Re: Disaster Recovery Scenario Help
Index(es):
- Date
- Thread

Relevant Pages

Re: NLASVC
... None of the affected servers are domain controllers; ... If you have used sysprep, the SID should be different, or are all servers ... SID changer? ... IMO, SID changers to not work as advertised, no matter who designed ...
(microsoft.public.windows.server.networking)
Re: Add group members from trusted domain programmatically
... >adding the member to the group using the SID DN syntax. ... Get the SID property of the user ... Create a ForeignSecurityPrincipal object on the same AD server as the ... I am running Windows 2003 Servers. ...
(microsoft.public.win2000.active_directory)
Re: Move User and users Mailbox between different domains
... By moving he user from one domain to another within the same forest, the GUID and UPN stay the same, but the SID changes. ... Another thing to take into account is Group Membership. ... The user will loose its memberships for the Global groups he's currently a member of, because Global Groups cannot contain members from other domains. ...
(microsoft.public.windows.server.active_directory)
Re: Booting multiple Win2K3 Servers from Single Image?
... Sysprep allows you to install pre-prepared ... 'x' different servers be able to boot off this single physical OS image. ... the SID from the OS image. ...
(microsoft.public.windows.server.setup)
Re: Check SID for GROUP membership
... client SID is direct match - no problem. ... group or admin stated allowed ... the client SID to get its _direct_ group memberships only ...
(microsoft.public.win2000.security)