Re: 2008 AD restore

---

• From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx>
• Date: Tue, 17 Feb 2009 15:27:37 -0600

---

Got yah and found 6 objects with backlinks needing to be repaired.

THX!

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:eZX3snsjJHA.5812@xxxxxxxxxxxxxxxxxxxxxxx

when you use NTDSUTIL to do an auth restore LDFs files are created if backlinks exist with values. If the auth restored object has backlinks to objects in other AD domains you need to use the TXT that is also created when using NTDSUTIL against a DC from each other AD domain. If backlinks exist LDF files will be created again

by having a LAG site it does not mean it is much easier. It is easier because you do not have to restore the system state and you use DCs that are not used for auth/LDAP/etc.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx> wrote in message news:C85305DC-D000-406C-932B-C7521ECC8F5C@xxxxxxxxxxxxxxxx

Single domain, single forest.

I understand backlinks but don't know what the following quote refers to:
"DO NOT FORGET TO RECOVER THE BACKLINKS BY IMPORTING THE LDF"

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:%232JHfoBjJHA.1288@xxxxxxxxxxxxxxxxxxxxxxx

because NTDSUTIL, whether or not you restore the System State, needs to access the NTDS.DIT offline. The NTDS.DIT cannot be online. Thinking about it a bit more. Because you are not restoring the system state you might as well stop the NTDS service, do the NTDSUTIL thing, and start it again.
Be aware though....DO NOT FORGET TO RECOVER THE BACKLINKS BY IMPORTING THE LDF files. If you have multiple domains and those objects have relations in other AD domain you need to check those too!. Just auth restoring the objects with NTDSUTIL might not be enough (you may have inconsistencies)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx> wrote in message news:1E222DCC-3831-4D47-B3CD-93227EC01631@xxxxxxxxxxxxxxxx

That is the part I don't get. Yes I had a lag site that didn't get the mass deletion, so I rebooted the DC into DSRM to do the authoritative restore.

Why do I have to be in DSRM to use NTDSUTIL to get the version to increase? I realize I'm supposed to I just don't understand why AD is requiring me to do this?

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:eKgIqIwiJHA.1388@xxxxxxxxxxxxxxxxxxxxxxx

I'm missing the point here....Are you saying you experienced a mass deletion and you used the lag site DC or another DC that still had not received the deletion?

Both the DC in that case did not receive the deletion and the only way to make the deletion is NOT processed by DCs that have not received it yet, is to increase the version of the objects that not been deleted yet.... and that is ALWAYS done by booting into DSRM and using NTDSUTIL to increase the version with 100000 (default value)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx> wrote in message news:#o9VMrKiJHA.6128@xxxxxxxxxxxxxxxxxxxxxxx

Last week some destroyed an OU that contained access to all the groups controlling access to our SAN. Once discovered 15 minutes and they were all back. Would have been quicker but I got paranoid and booted into DSRM, even though I shouldn't have needed it (At least I can't understand why). I read something from Gil stating you need to so I thought until I understand I best not take any chances. I have since taken the time and set ALL ou's to "Prevent Accidental OU Deletion" via the option on the new gui. I should have set that a while back, but I didn't have the new tools and was to lazy to go back and remember how to do it w/o it.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:ez84SsJiJHA.4556@xxxxxxxxxxxxxxxxxxxxxxx

that's why with LAG sites it is not enough to disable replication.....

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx> wrote in message news:2F2B8A1B-2812-4964-8420-1C2D75AEE061@xxxxxxxxxxxxxxxx

Really, didn't know that. Usually only force via gui, but I will remember to only use gui in future if I want to protect lag site.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:ejZIsE$hJHA.500@xxxxxxxxxxxxxxxxxxxxxxx

even if replication is disabled, you can still FORCE it!

REPADMIN /SYNCALL
REPADMIN /REPLICATE

will do it, even if it is disabled

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx> wrote in message news:13BB55BC-3733-475E-AE8B-27C6B8FE823C@xxxxxxxxxxxxxxxx

On our lag site, to prevent manual replication requests, we only open up replication during the allowed automated replication stage. Otherwise someone can simply do a manual request and bye, bye lag site protection. So we use repadmin (As Jorge is desribing) to prevent this.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:OzqMTX9hJHA.3444@xxxxxxxxxxxxxxxxxxxxxxx

when a user is deleted it is tombstoned. that tombstone replicates to all other DCs in questions. if you at any point in time are able to DISABLE inbound AD replication on a DC BEFORE the tombstone reaches that DC, then you can do an auth restore without the non-auth restore

disabling/enabling AD replication can be done with REPADMIN /OPTIONS

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"skip" <shofmann@xxxxxxx> wrote in message news:835848DB-7FDD-45FA-82A5-1C68E4403388@xxxxxxxxxxxxxxxx

how long does it take before the DC completely deletes the object or process the deletion? Is this setting determined by the Tombstone lifetime set on the object? If the object gets delted from AD using ADUC is the object still stored in the AD database but the object now is marked as hidden, and now requires a system restore in order to restore the object?
"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:e7gMKvkhJHA.3812@xxxxxxxxxxxxxxxxxxxxxxx

that is sufficient if that particular DC has not yet processed the deletion. If it already has processed the deletion you still need to non-auth restore the AD DB. To do that you need to boot into DSRM. Stopping the service and restoring the AD DB is not supported.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message news:731E4747-E522-4A28-AA5C-D9646DFD2FEE@xxxxxxxxxxxxxxxx

Hi
The restore is needed in 2003 or 2000 DCs. In 2008 DCs you only need to right-click Active Directory Domain Services and then click Stop to stop the service and do the Authoritative restore.
For more details check:
http://technet.microsoft.com/en-us/library/cc732211.aspx

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"skip" <shofmann@xxxxxxx> wrote in message news:EDB3EF5D-BB60-48BB-AE6D-17AA6D01A5B7@xxxxxxxxxxxxxxxx

I'm a little confused on the correct procedure for doing an athoritative restore when the DC is running windows 2008.

I have a system state backup of the DC, in order to restore a deleted object do i need to reboot the DC into DSRM then restore of the system state backup? At what point in the processdo i mark the deleted item as "authoritative"?

Thanks

.

---

• References:
  • 2008 AD restore
    • From: skip
  • Re: 2008 AD restore
    • From: Jorge Silva
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: 2008 AD restore
    • From: skip
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: 2008 AD restore
    • From: Paul Bergson [MVP-DS]
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: 2008 AD restore
    • From: Paul Bergson [MVP-DS]
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: 2008 AD restore
    • From: Paul Bergson [MVP-DS]
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: 2008 AD restore
    • From: Paul Bergson [MVP-DS]
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]
  • Re: 2008 AD restore
    • From: Paul Bergson [MVP-DS]
  • Re: 2008 AD restore
    • From: Jorge de Almeida Pinto [MVP - DS]

• Prev by Date: Re: GPO for system failure and recovery options
• Next by Date: Re: active directory project
• Previous by thread: Re: 2008 AD restore
• Next by thread: Re: 2008 AD restore
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: 2008 AD restore ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... It is easier because you do not have to restore the system state and you use DCs that are not used for auth/LDAP/etc. ... (microsoft.public.windows.server.active_directory) Re: 2008 AD restore ... It is easier because you do not have to restore the system state and you use DCs that are not used for auth/LDAP/etc. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... (microsoft.public.windows.server.active_directory) Re: 2008 AD restore ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... so I rebooted the DC into DSRM to do the authoritative restore. ... (microsoft.public.windows.server.active_directory) Re: 2008 AD restore ... It is easier because you do not have to restore the system state and you use DCs that are not used for auth/LDAP/etc. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... (microsoft.public.windows.server.active_directory) Re: 2008 AD restore ... because NTDSUTIL, whether or not you restore the System State, needs to access the NTDS.DIT offline. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2009-02