Re: Copy Active Directory Database to test server

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 03/05/04 

Date: Fri, 5 Mar 2004 18:44:44 -0000

As I said in my closing line

"It should be noted that if you analyse your working practices and do not
actually rely on your server infrastructure for business continuity the a
single point of failure is not a risk and is an acceptable option for you."

So I do understand and agree with your assessment and willingness to accept
the risk of the single point of failure. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"LKuderick" <npm[NO*SPAM*]@tampabay.rr.com> wrote in message
news:OkaSyxtAEHA.688@tk2msftngp13.phx.gbl...
> Sorry Mike, While I understand your position, your risk assessment of my
> position is not supported by my experience. I have been MIS manager of
this
> company for over 16 years and we have had 2 major hardware failures in
that
> time and perhaps 4 or 5 minor ones. The major ones were recovered in no
more
> than 4-6 hours (completely acceptable timeframe in my company) and the
minor
> ones were recovered in 30 mins to 2 hours (again completely acceptable).
> None of our business is dependent on the computer being in operation 24
> hours. Programs that run Tape Mills can be loaded from local machines or
> even from tape backups. Blueprints are replicated to paper files (it's
part
> of our ISO requirements). Our company can function fine without a file
> server online for a period of days (although that would not be desirable).
> We have complete disaster recovery conditions for most situations and
> expected recovery timelines that are fine given our business model (If I
was
> managing a company that was more computer dependent (i.e. MSFT), I would
use
> more replication, however, in my situation more replication is not worth
the
> work or cost).
>
> So my network configuration works for my company and I see no complelling
> reason to change it to your model.
>
> My current sticking point is how to recover my AD from a failed hardware
> disaster. I assume that there must be a method to do this or a method to
> migrate the AD to a new hardware configuration. What I would like is the
> easiest/best method to accomplish this. If it cannot be done, then I'll
work
> on that premise and come up with some other plan. If I need to make
changes
> to my AD structure to make it easier (i.e. make the root domain limited
with
> just the MS accounts and to set up a child domain (the rest of the
company)
> below it to make it easier to recover - I can do that. However, I would
> appreciate you attempting to work within my model even if you consider
that
> my model has unacceptable risks in your opinion.
>
> I *do* appreciate your time and responses.
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:OtSTr1sAEHA.2768@TK2MSFTNGP09.phx.gbl...
> > You were not misinformed in any way - from a technical and performance
> > perspective a single Windows Server 2003 system will more then cope with
> > your requirements.
> > HOWEVER from a disaster recovery, single point of failure and general
> > availability stance - you should never rely on a single server to
provide
> > all of your essential services - be that a Netware or a Windows system.
> > This leads you to the scenario you are encountering,  in the event of a
> > failure (hardware or otherwise) your only option may be a repair and
> recover
> > from backup,  whereas with another server providing various services
such
> as
> > a authentication and file and print as well as the first you recover
> process
> > may be only required to recover a files that were on the other server
but
> > all services remain operational.
> >
> > You would never get a Novell consultant to recommend a single server
> > providing NDS and File and Print for a corporate,  because as I said
> above -
> > it is certainly technically feasible from a spec and performance
> perspective
> > it is reckless and an unacceptable risk to your business from an
> operations
> > perspective to have such an exposed single point of failure.
> >
> > This is not about technology or product but is about sound operational
> > processes, practices and procedures.
> >
> > It should be noted that if you analyse your working practices and do not
> > actually rely on your server infrastructure for business continuity the
a
> > single point of failure is not a risk and is an acceptable option for
you.
> > -- 
> > Regards,
> >
> > Mike
> > --
> > Mike Brannigan [Microsoft]
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights
> >
> > Please note I cannot respond to e-mailed questions, please use these
> > newsgroups
> >
> > "LKuderick" <npm[NO*SPAM*]@tampabay.rr.com> wrote in message
> > news:e1tnAosAEHA.3256@TK2MSFTNGP09.phx.gbl...
> > > Mike,
> > >
> > > Sorry, but when I was researching whether to stay with Novell or jump
to
> > > Windows Server 2003 I was told by the Microsoft sales team that
> everything
> > I
> > > needed could be handled by a single server box. I administer a small
> > > manufacturing company and the main purpose of the server is to act as
a
> > file
> > > server. 40 of the workstations that are attached to the system are out
> on
> > > the shop floor and mainly reference data stored on the system. Of the
> > other
> > > 20+ systems, 8-10 are relative power users and the rest are clerics or
> > > engineers that perform most of their work on their own local stations
> > saving
> > > the final versions down to the server to be accessed by the other 40
> shop
> > > floor stations. Using Novell as a comparison, everything was handled
by
> a
> > > single server and it was done well for over 10 years.
> > >
> > > That said, I see no reason to have a second box dedicated to only
> running
> > a
> > > DC, if under Windows Server this is necessary then I've been mislead
and
> > > perhaps I need to reconsider our abandonment of Novell. I assure you
> it's
> > > not because of the cost of having a 2nd box, it's because I can't
> > visualize
> > > why I would need to have the AD/DC on a 2nd server (which I would
assume
> > > would require a 2nd licensed version of Windows Server).
> > >
> > > If you wish to state your opinion on why I should not run a production
> > > domain on with only one server, that's fine. However, I can not think
of
> > any
> > > compelling reason why I should have to change from my 1 server model
> that
> > > has worked with this company for 16+ years.
> > >
> > > Larry
> > >
> > > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in
message
> > > news:%23FCTJLsAEHA.2480@TK2MSFTNGP12.phx.gbl...
> > > > Step one - NEVER EVER run a production domain with only one server.
> > > > Buy and install an additional DC.
> > > >
> > > > (I'll address the rest of your scenario and questions later - just a
> bit
> > > > tied up at the moment)
> > > >
> > > > -- 
> > > > Regards,
> > > >
> > > > Mike
> > > > --
> > > > Mike Brannigan [Microsoft]
> > > >
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > > rights
> > > >
> > > > Please note I cannot respond to e-mailed questions, please use these
> > > > newsgroups
> > > >
> > > > "LKuderick" <npm[NO*SPAM*]@tampabay.rr.com> wrote in message
> > > > news:uOUDX6rAEHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > Mike,
> > > > >
> > > > > I reviewed that article, however that doesn't seem to address my
> > > > particular
> > > > > problem. I need to copy the existing root domain from our live
> server
> > to
> > > > our
> > > > > test server. I'm attempting to put together a Disaster Recovery
> > document
> > > > and
> > > > > I need to be able to restore from a backup the entire original
root
> > > domain
> > > > > to new hardware with the minimum of time.
> > > > >
> > > > > Here is exactly what I want to do: I am simulating a hardware
> failure
> > of
> > > > the
> > > > > motherboard or cpu and they either cannot immediately be replaced
or
> > are
> > > > not
> > > > > available and I need to get our company server back as quickly as
> > > > possible.
> > > > >
> > > > > We have only one server, and only one domain on the server.
> > > > >
> > > > > Using ASR doesn't work to a new hardware box as it copies hardware
> and
> > > > > registry entries that may not be valid on the new server (I tried
> this
> > > > route
> > > > > and had many problems and ultimately corrupted the install). What
I
> > need
> > > > to
> > > > > be able to do is to restore the Active directory from the system
> state
> > > > > backup to the new system.
> > > > >
> > > > > On the new system I plan the following steps:
> > > > >
> > > > > 1. I will have to reinstall Windows 2003 server software. This is
a
> > > given.
> > > > >
> > > > > 2. I'm assuming at this point it is better to then let Windows
> Server
> > > 2003
> > > > > setup and configure the DNS and DCHP services as the first server.
> > > > >
> > > > > 3. Running DCPROMO at this time, I only get the option to remove
the
> > > > > existing DNS tree structure. I'm assuming that I have to go ahead
> and
> > > > > perform this function in order to later restore the AD from the
> > backup.
> > > > >
> > > > > 4. At this time I would like to install from backup the existing
AD
> > > > > structure to the new Server. Using PCPROMO again, I get two
choices,
> > to
> > > > > setup a new Domain or to select Additional domain controller in an
> > > > existing
> > > > > domain. If I select the Additional domain selection I get the
option
> > to
> > > > > create the domain from backup files. However, I then have to enter
> > > network
> > > > > credentials (User/Password/Doman) from an existing domain (which
> does
> > > not
> > > > > exist) in order to continue. If I select the option to create a
new
> > > > Domain,
> > > > > I do not get the option to create it from backup files (which is
> > really
> > > > what
> > > > > I want). So exactly how to do I proceed? If this is the method to
> > > perform
> > > > > the restore - what credentials are used (obviously not the
> > Administrator
> > > > > account used to log into the system - because I attempted that and
> it
> > > > > wouldn't work)? Or if you can use that account, what should I use
as
> > the
> > > > > domain to validate the account?
> > > > >
> > > > > There has to be a way to do this. While I can recreate the AD from
> > > scratch
> > > > > (we only have some 60 user accounts), it seems that has to be a
way
> to
> > > > > recover this information from a system state backup. If I'm
missing
> > > > > something obvious, please forgive me and be patient in your reply.
> > > > >
> > > > > Thanks!
> > > > >
> > > > > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in
> > message
> > > > > news:u9kaMyjAEHA.2600@TK2MSFTNGP09.phx.gbl...
> > > > > > "LKuderick" <npm[NO*SPAM*]@tampabay.rr.com> wrote in message
> > > > > > news:%23ZbKXiiAEHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > > > Mike,
> > > > > > >
> > > > > > > I see no such option the the dcpromo.exe command. You can use
> the
> > > /adv
> > > > > > > switch, but nowhere does it give you the option to 'build from
> > > media'
> > > > as
> > > > > > far
> > > > > > > as I can see. Can you be more specific as I want to do the
same
> > > > Muster.
> > > > > > >
> > > > > > > Thanks!
> > > > > >
> > > > > > see
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dssbm_drd_gmcr.asp
> > > > > >
> > > > > > -- 
> > > > > > Regards,
> > > > > >
> > > > > > Mike
> > > > > > --
> > > > > > Mike Brannigan [Microsoft]
> > > > > >
> > > > > > This posting is provided "AS IS" with no warranties, and confers
> no
> > > > > > rights
> > > > > >
> > > > > > Please note I cannot respond to e-mailed questions, please use
> these
> > > > > > newsgroups
> > > > > >
> > > > > > "LKuderick" <npm[NO*SPAM*]@tampabay.rr.com> wrote in message
> > > > > > news:%23ZbKXiiAEHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > > > Mike,
> > > > > > >
> > > > > > > I see no such option the the dcpromo.exe command. You can use
> the
> > > /adv
> > > > > > > switch, but nowhere does it give you the option to 'build from
> > > media'
> > > > as
> > > > > > far
> > > > > > > as I can see. Can you be more specific as I want to do the
same
> > > > Muster.
> > > > > > >
> > > > > > > Thanks!
> > > > > > >
> > > > > > >
> > > > > > > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote
in
> > > > message
> > > > > > > news:%23icgf9DAEHA.808@TK2MSFTNGP12.phx.gbl...
> > > > > > > > "Muster" <stefan@netlane.com> wrote in message
> > > > > > > > news:ce1076cb.0403020126.4b559707@posting.google.com...
> > > > > > > > > I would like to set up a replica of our AD on a
testserver,
> > > mainly
> > > > > to
> > > > > > > > > test import/export functions of userdata. The testserver
> > cannot
> > > be
> > > > > on
> > > > > > > > > the same LAN as the production server.
> > > > > > > > > I've tried making a backup/restore but since System state
> also
> > > > > backups
> > > > > > > > > the registry the restored machine becomes a mess since
> either
> > > > > hardware
> > > > > > > > > or software is the same.
> > > > > > > > >
> > > > > > > > > How can I make a copy of the ad database and restore it on
> my
> > > new
> > > > > > > > > machine?
> > > > > > > >
> > > > > > > > You can take a backup and then do a DCPROMO and "build from
> > media"
> > > > on
> > > > > > the
> > > > > > > > test system.
> > > > > > > > This is only applicable to Server 2003
> > > > > > > >
> > > > > > > > -- 
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Mike
> > > > > > > > --
> > > > > > > > Mike Brannigan [Microsoft]
> > > > > > > >
> > > > > > > > This posting is provided "AS IS" with no warranties, and
> confers
> > > no
> > > > > > > > rights
> > > > > > > >
> > > > > > > > Please note I cannot respond to e-mailed questions, please
use
> > > these
> > > > > > > > newsgroups
> > > > > > > >
> > > > > > > > "Muster" <stefan@netlane.com> wrote in message
> > > > > > > > news:ce1076cb.0403020126.4b559707@posting.google.com...
> > > > > > > > > I would like to set up a replica of our AD on a
testserver,
> > > mainly
> > > > > to
> > > > > > > > > test import/export functions of userdata. The testserver
> > cannot
> > > be
> > > > > on
> > > > > > > > > the same LAN as the production server.
> > > > > > > > > I've tried making a backup/restore but since System state
> also
> > > > > backups
> > > > > > > > > the registry the restored machine becomes a mess since
> either
> > > > > hardware
> > > > > > > > > or software is the same.
> > > > > > > > >
> > > > > > > > > How can I make a copy of the ad database and restore it on
> my
> > > new
> > > > > > > > > machine?
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Loading