" the whitepaper I'm working on with NetPro for AD recovery also contains
those steps ;-)"
, at least it does now
;o)
<j/k, Guido!>
Rick
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Grillenmeier, Guido
Sent: Thursday, August 11, 2005 6:50 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] A bad bad thingManual push of AD?
the whitepaper I'm working on with NetPro for AD recovery also contains
those steps ;-)
we should clarify thatfor most other situations you do need to wait for
the auth restore to replicated out, otherwise the group-adds (or other
links) won't succeed in the other domains if you have any. In this case
the tombstone hadn't replicated out so that the object already exists on
all DCs.
step 3.1 - reboot that original DC containing the tombstone on which the
NW plug was pulled
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Brett Shirley
Sent: Freitag, 12. August 2005 02:41
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] A bad bad thingManual push of AD?
Please don't forget to do insert these steps:
2.5 reboot the DC back to normal mode
2.7 give a chance for the auth restore to replicate out (not
necessary, just a good idea)
I'm so glad Guido wrote up the below, I had something 1/2 written up,
but
I couldn't remember any of the details
Cheers,
Brett
Fri, 12 Aug 2005, Grillenmeier, Guido wrote:
hopefully you have another Win2003 DC with SP1 =a non-SP1 2003 DC
would require you to perform more manual steps during the restore. As
you're still in mixed mode, none of your links are LVR (which means
they
won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC)
1. so boot another SP1 DC into DS Restore mode
2. use ntdsutil.exe to auth restore that user's object
=with SP1, this step will create an LDIF file that will allow to
restore the groups etc.
it will be called
"ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf"
(e.g. ) and contain
something similar to this:
dn: CN=Child1-UG1,U=Groups,U=MyCU1,DC=child1,DC=root,DC=net
changetype: modify
delete: member
member:
CN=Root-User1,U=Accounts,U=MyRU1,U=Externals,DC=root,DC=ne t
-
dn: CN=Child1-UG1,U=Groups,U=MyCU1,DC=child1,DC=root,DC=net
changetype: modify
add: member
member:
CN=Root-User1,U=Accounts,U=MyRU1,U=Externals,DC=root,DC=ne t
-
dn:
CN=Child1-User2,U=Accounts,U=MyCU1,DC=child1,DC=root,DC=net
changetype: modify
delete: manager
manager:
CN=Root-User1,U=Accounts,U=MyRU1,U=Externals,DC=root,DC=ne t
-
dn:
CN=Child1-User2,U=Accounts,U=MyCU1,DC=child1,DC=root,DC=net
changetype: modify
add: manager
manager:
CN=Root-User1,U=Accounts,U=MyRU1,U=Externals,DC=root,DC=ne t
-
If you have multiple domain, you may get more than one file (depends
on
group-memberships of user and if you are doing the auth restore on a
DC
or GC - you should choose a GC if you have more than one domain). All
you need to do after reboot is take that file and execute an LDIF
import
command (on a DC that corresponds to the file's domain):
Ldifde -i -k -f
ar_<date>-<time>_links_<fully.qualified.domain.name>.ldf
e.g. Ldifde -i -k -f
/Guido
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Shadow Roldan
Sent: Freitag, 12. August 2005 01:35
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] A bad bad thingManual push of AD?
K This is what I was looking for, this site didn't actually have a
chance to repl out the delete so I just push back the 'good' state?
So, if I understand I am supposed to:
1. reboot a good DC into DS Restore mode
2. use ntdsutil.exe to auth restore that user's object.
3. use ldifde to restore the links (not sure about this stepany
more
info?)
Bring my mistake DC back online, it tries to replicate, hits the Auth
Restore, and the delete gets tossed, my mistake is rectified, and no
one
is the wiser
Yes?
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Rick Kingslan
Sent: Thursday, August 11, 2005 2:56 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] A bad bad thingManual push of AD?
I agree completely - that is the attraction of the lag sites - I have
something in which I can push a change back out from a time delayed
replica to where the object sill exists.
And I agree as well - if there is a DC that has the object required -
by
all means, repl it back out authoritatively.
Rick
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Brett Shirley
Sent: Thursday, August 11, 2005 3:31 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] A bad bad thingManual push of AD?
Hmmm, maybe I misunderstoood
I understood he has a user deleted on some DCs, but not on others. He
doesn't want the user deleted. He can then just take a DC with the
user, auth restore the user, let that replicate out. Yes, the delete
change will try to replicate out, but when it hits the auth restore
the
delete operation will essentially be tossed.
I mean this is the whole attraction to hot sites is it not? Am I
missing
something?
Cheers,
BrettSh
Thu, 11 Aug 2005, Rick Kingslan wrote:
Brett,
How is this going to help him get the DC back online that he yanked
the cable on? As soon as that system is plugged back in, it's going
to repl
out
the change, no?
Rick
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Brett
Shirley
Sent: Thursday, August 11, 2005 1:54 PM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: Re: [ActiveDir] A bad bad thingManual push of AD?
Well you're lucky that you yanked the network cable in time, now you
don't have to do a system state restore to get the user back
Find a DC where the user still exists in a pristine condition, all
the
mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use
ntdsutil.exe to auth restore just that user's object.
You may (probably will) also have to restore links to that user, at
this point it'd be nice if you were running on Win2k3 SP1, but if
not
it is still accomplishable.
For Win2k3 Sp1, after auth restoring the user, there should be some
ldf
file(s) that will allow you to restore the links. Simply use
ldifde,
to apply these files to the appropriate DCs (up to one ldf per
domain).
For pre this latest generation (which is more likely, because you
could yank the net cable in time), you may have to find the objects
that are linked to the user, and restore them yourself. You can do
this by performing an LDAP operation that deletes and re-sets the
links to that user.
BTW, there is a more extensive KB article you might find useful:
Cheers,
BrettSh
This posting is provided "AS IS" with no warranties, and confers no
rights.
Thu, 11 Aug 2005, Shadow Roldan wrote:
So I did a bad thing, I deleted a user at a different site and
marked his mailbox for deletion
Immediately recognizing my mistake I *ran* to the server room and
yanked the network cable of the dc I was connected to.
For now, none of the changes have replicated.
I want to bring this machine back online, but I don't want those
changes to go through
How would you make this happen?
Thanks guys
S
List archive:
%40mail.activedir.org/
List archive:
%40mail.activedir.org/