Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | geraldine-bridges |
View: | 221 times |
Download: | 0 times |
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
SVR331 Active Directory Disaster Recovery Part 2 of 2
SVR331 Active Directory Disaster Recovery Part 2 of 2John CraddockJohn CraddockPrincipal Systems Consultant Principal Systems Consultant [email protected] [email protected] [email protected]@kimberry.co.uk
Sally StoreySally StoreySenior Consultant Senior Consultant [email protected]@kimberry.co.uk
3
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Welcome Back to Part 2Welcome Back to Part 2
Infrastructure ComponentsInfrastructure Components
File Replication and SYSVOLFile Replication and SYSVOL
Backing up the DirectoryBacking up the Directory
Restoring the DirectoryRestoring the Directory
Authoritative RestoresAuthoritative Restores
Recovering a ForestRecovering a Forest
And of course
And of course lots of demos
lots of demos
4
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Legal StuffLegal Stuff
Every effort has been made to make this seminar as complete Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. and as accurate as possible but no warranty or fitness is implied.
The presenters, authors, publisher and distributor assume no The presenters, authors, publisher and distributor assume no responsibility for errors or omissions, or for damages resulting responsibility for errors or omissions, or for damages resulting
from the use of the information contained herein. from the use of the information contained herein.
Names identifying the directory and associated objects are fictitious Names identifying the directory and associated objects are fictitious and are not intended to represent any organizations or people and are not intended to represent any organizations or people
All trademarks are acknowledged and are the All trademarks are acknowledged and are the property of their respective ownersproperty of their respective owners
© All materials are copyright Kimberry Associates© All materials are copyright Kimberry Associates
5
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Restore through ReinstallationRestore through Reinstallation
Clean up the ADClean up the ADRemove references to the failed DCRemove references to the failed DC
Action depends on the name of the new serverAction depends on the name of the new server
Make sure the hardware is OK and install a Make sure the hardware is OK and install a new copy of the OSnew copy of the OS
Promote into the domainPromote into the domain
Allow replication to populate the ADAllow replication to populate the ADNetwork traffic may be excessive, especially if Network traffic may be excessive, especially if you want the new DC to be a GC you want the new DC to be a GC
6
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Server NameServer Name
Always remove the NtdsDSA settings Always remove the NtdsDSA settings object for the failed serversobject for the failed servers
Use ntdsutil (simplified with SP1)Use ntdsutil (simplified with SP1)See “How To: Remove Data in Active Directory After See “How To: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion” an Unsuccessful Domain Controller Demotion” (Q216498)(Q216498)
If the new server will have a new nameIf the new server will have a new nameRemove the old server objects from sites and Remove the old server objects from sites and services and the domain controllers OUservices and the domain controllers OU
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Restore From BackupRestore From Backup
8
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Take CareTake Care
Only use this option if you are recoveringOnly use this option if you are recoveringall DCs in a domainall DCs in a domain
Equivalent of a D4 Equivalent of a D4 authoritative authoritative
restorerestore
9
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Unless you Like Unless you Like Morphed FoldersMorphed Folders
10
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
GC Caveats GC Caveats
If restoring a domain from an older backup, If restoring a domain from an older backup, you may need to reinitialise the GCs in you may need to reinitialise the GCs in other domainsother domains
example.comexample.com
child.example.comchild.example.comRestored back in time
Global catalogs will have newer data about child
11
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Deleted ObjectsDeleted Objects
The The isDeletedisDeleted attribute is set TRUE attribute is set TRUE
Changes the RDN of the object to include Changes the RDN of the object to include the objects GUID the objects GUID
Add characters that could never be set by an Add characters that could never be set by an LDAP callLDAP call
Strips all but the preserved attributesStrips all but the preserved attributes
Moves the object to the Deleted Objects Moves the object to the Deleted Objects containercontainer
12
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Tombstone PeriodTombstone Period
The object remains in the deleted objects The object remains in the deleted objects container for the tombstone periodcontainer for the tombstone period
Default 60 days (SP1 = 180 days)Default 60 days (SP1 = 180 days)
The Garbage Collector removes any The Garbage Collector removes any deleted objects for which the tombstone deleted objects for which the tombstone period has expiredperiod has expired
Runs every 12 hours (default setting)Runs every 12 hours (default setting)
13
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Re-Animating ObjectsRe-Animating Objects
Server 2003 provides a re-animation APIServer 2003 provides a re-animation APISP1 re-animation includes sIDHistorySP1 re-animation includes sIDHistory
Stripped attributes are not restoredStripped attributes are not restored
To re-animateTo re-animateSet the LDAP control flags to show deleted Set the LDAP control flags to show deleted objectsobjects
In one operation on the deleted objectIn one operation on the deleted objectSet the isDeleted attribute to NULLSet the isDeleted attribute to NULL
Set the DN appropriately for the container in which to Set the DN appropriately for the container in which to re-animate the objectre-animate the object
14
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Recovering Deleted /Recovering Deleted /Changed ObjectsChanged Objects
After the System State has been restored, After the System State has been restored, objects within the directory can be marked objects within the directory can be marked as authoritative (increases version as authoritative (increases version number)number)
““Guarantees” that the restored object will Guarantees” that the restored object will replicate out from the restored DC replicate out from the restored DC
The whole of the directory with the The whole of the directory with the exception of the schema can be made exception of the schema can be made authoritativeauthoritative
Not recommendedNot recommended
Mark only the objects that must be Mark only the objects that must be authoritatively restoredauthoritatively restored
15
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Replicate changes since backupReplicate changes since backup
Run ntdsutilMark required
objectsauthoritative
Restore modeRestore mode
Accept if higher version numbersAccept if higher version numbers
Restart
Replicate authoritative objectsReplicate authoritative objects
New DSA GUIDNew DSA GUID
Does not need to be restored from backupDoes not need to be restored from backupAny DC can be made authoritative providedAny DC can be made authoritative provided
it holds the appropriate objectsit holds the appropriate objects
Performing an Performing an Authoritative RestoreAuthoritative Restore
16
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Authoritatively Restoring an OUAuthoritatively Restoring an OU
Julian
TheBoys
Dick
George
Mark as authoritative
Increments versionnumber on all
contained objects and attributes
17
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Authoritative RestoreAuthoritative Restore
DC1 DC3DC2
Restore modeBackup prior to deletion restored
VN=50
VN=91
VN=50
VN=91
VN=50
VN=100,090
Moved to deleted objects container
George George George
G1 G1 G1
18
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Caveats to Caveats to Authoritative RestoresAuthoritative Restores
An authoritative restore that involves An authoritative restore that involves computer and trust objects may invalidate computer and trust objects may invalidate their accountstheir accounts
The passwords are periodically reset The passwords are periodically reset (default 30-days)(default 30-days)
A history of two passwords is keptA history of two passwords is kept
You may experience problems if restoring You may experience problems if restoring older backupsolder backups
19
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
More CaveatsMore Caveats
Authoritatively restoring users and groups Authoritatively restoring users and groups may result in inconsistent group may result in inconsistent group membershipmembership
The behaviour depends on the forest The behaviour depends on the forest functionality level when the group was created functionality level when the group was created and/or when the user was added to the groupand/or when the user was added to the group
The behaviour affects all multi-valued linked The behaviour affects all multi-valued linked attributesattributes
20
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Multi-Valued Linked AttributesMulti-Valued Linked Attributes
Groups store their membership list in their Groups store their membership list in their membermember attribute attribute
The The membermember attribute is a multi-valued linked attribute is a multi-valued linked attributeattribute
This discussion affect the restoration of all This discussion affect the restoration of all multi-valued linked attributesmulti-valued linked attributes
Each pair of linked attributes is identified by the Each pair of linked attributes is identified by the schema defined linkID propertyschema defined linkID property
Forward links are even (n) and the associated back Forward links are even (n) and the associated back link is odd (n+1)link is odd (n+1)
21
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Link Table (Simplified)Link Table (Simplified)
Entries are created in a link table when a Entries are created in a link table when a group is created/modified through group is created/modified through origination or replicationorigination or replication
The link tables are constructed on each DCThe link tables are constructed on each DC
JohnG1
ForwardForward BackBackMemberOf
Sally
MemberOf
member
G2member
G3member
john
G1 John
sallySallyG2
sally
SallyG3
;john
G3 John
;sally
G1 Sally
Link Table
22
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Replicating Group MembershipReplicating Group Membership
In a Windows 2000 forest group the In a Windows 2000 forest group the member attribute is replicated in it’s member attribute is replicated in it’s entiretyentirety
Replication metadata is attached to the Replication metadata is attached to the membermember attribute attribute
In a Windows 2003 forest or Windows 2003 In a Windows 2003 forest or Windows 2003 Interim forest the linked-values are Interim forest the linked-values are replicatedreplicated
Referred to as linked-value replicationReferred to as linked-value replication
Replication metadata is attached to the Replication metadata is attached to the membermember attribute attribute
Attribute Clean-upAttribute Clean-up
If either the linked source or destination If either the linked source or destination objects are deleted the associated linked objects are deleted the associated linked attribute value is deletedattribute value is deleted
Deleting a user removes that user from the Deleting a user removes that user from the membermember attributes of all linked groups attributes of all linked groups
Deleting a group removes that group from the Deleting a group removes that group from the calculated calculated memberOfmemberOf attributes of all linked attributes of all linked usersusers
memberJohn
MemberOf
John Sallymember
John
MemberOf
John Sally
Sally
MemberOf
No version No version
number number increaseincrease
example.com
child.example.com
DC1 DC2
Vladimir
Vladimir
Replicate
Vladimir
Vladimir
Child DC1
add
Add a User from Another Add a User from Another DomainDomain
25
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
InfrastructureMaster
Deleting the UserDeleting the User
example.com
child.example.com
Vladimir
Vladimir
VladimirNo ReplicationGroup VN does
not change
Deleted by IM
Automatically cleaned
Deleted on GC replication
Replication
DC1 DC2
Child DC1
26
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
PhantomsPhantoms
If a user from a different domain is added If a user from a different domain is added to a group, a link is createdto a group, a link is created
If the DC on which the group is created is a GC, If the DC on which the group is created is a GC, the forward link references the user in the GCthe forward link references the user in the GC
If the DC is not a GC then a phantom record is If the DC is not a GC then a phantom record is createdcreated
If the user is deleted, the group’s member If the user is deleted, the group’s member attribute will be updated when the attribute will be updated when the reference is deletedreference is deleted
The GC replicates the deletionThe GC replicates the deletion
The Infrastructure Master deletes the phantom The Infrastructure Master deletes the phantom
27
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Restoring Groups and UsersRestoring Groups and Users
If groups and users are authoritatively If groups and users are authoritatively restored on one DCrestored on one DC
There is no guarantee that the users will There is no guarantee that the users will replicate in advance of the groupreplicate in advance of the group
If a group is replicated in advance of a user If a group is replicated in advance of a user who is a member of the groupwho is a member of the group
The receiving DC has no record of the user and The receiving DC has no record of the user and deletes it from the groupdeletes it from the group
28
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Authoritative Restore 2000Authoritative Restore 2000
DC1 DC3DC2
George markedas authoritative
VN=50 VN=50 VN=50
VN=100,000+George
G1 G1 G1
Group membership not restored
VN=100,000+George
Replication
VN=100,000+George
Replication
29
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Restoring the LinkRestoring the Link
Running in a 2000 forest means that the Running in a 2000 forest means that the group membership will not replicategroup membership will not replicate
This also applies to group membership that was This also applies to group membership that was created prior to moving to 2003 forest created prior to moving to 2003 forest functionalityfunctionality
No linked-value replication metadata No linked-value replication metadata
Solutions for pre 2003 Forest Solutions for pre 2003 Forest Mode Group MembershipMode Group Membership
Solution 1:Solution 1:Authoritatively restore users Authoritatively restore users
Add dummy user to group and allow to Add dummy user to group and allow to replicatereplicate
Does not guarantee authorityDoes not guarantee authority
Solution 2:Solution 2:Authoritatively restore users Authoritatively restore users
Allow to replicateAllow to replicate
Authoritatively restore groupsAuthoritatively restore groups
31
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
2003 SP1 Authoritative 2003 SP1 Authoritative Restore EnhancementsRestore Enhancements
Ntdsutil automatically generates an ldif file Ntdsutil automatically generates an ldif file identifying all of the links for identifying all of the links for authoritatively restored objectsauthoritatively restored objects
After the restore, wait for the objects to be After the restore, wait for the objects to be replicated throughout the domainreplicated throughout the domain
Restore the links by using ldifde to import Restore the links by using ldifde to import the ldif file onto a GC in the domainthe ldif file onto a GC in the domain
ldifde –i –k –f links.ldfldifde –i –k –f links.ldf
32
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Know Your EnvironmentKnow Your Environment
None of the solutions (including 2003 None of the solutions (including 2003 forest mode) restore domain local group forest mode) restore domain local group memberships defined in other domains memberships defined in other domains
You can authoritatively restore each You can authoritatively restore each domain and allow ntdsutil to create the domain and allow ntdsutil to create the appropriate ldif files appropriate ldif files
Know your group membershipsKnow your group membershipsDump information to reference filesDump information to reference files
Know how to restore the membership via Know how to restore the membership via scriptsscripts
33
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Our Environment: 2000 ForestOur Environment: 2000 Forest
member memberOf ManagerReports
Julian AnneG1
TheBoys
member memberOf ManagerReports
Dick TimmyG2
memberOf Reports
George
DC1 DC2 DC3
Added in 2000 mode, points at back link
34
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Raised to 2003Raised to 2003
member memberOf ManagerReports
Julian AnneG1
TheBoys
member memberOf ManagerReports
Dick TimmyG2
memberOf Reports
GeorgeG3
member DC1 DC2 DC3
Added in 2003 mode, points at back link
Added in 2000 mode, points at back link
35
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
The Boys Get DeletedThe Boys Get Deleted
member Manager
AnneG1
member Manager
TimmyG2
G3
member DC1 DC2 DC3
The Boys are Authoritatively The Boys are Authoritatively RestoredRestored
member memberOf ManagerReports
Julian AnneG1
TheBoys
member memberOf ManagerReports
Dick TimmyG2
memberOf Reports
GeorgeG3
member DC3
Added in 2003 mode, points at back link
Added in 2000 mode, points at back link
37
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
member memberOf ManagerReports
Julian AnneG1
TheBoys
member memberOf ManagerReports
Dick TimmyG2
memberOf Reports
GeorgeG3
member DC1 DC2
Missing all links created in 2000 forest
What Replicates to DC1 & DC2?What Replicates to DC1 & DC2?
38
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
LDIF File produced byLDIF File produced byNTDSUTILNTDSUTIL
dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifydelete: memberdelete: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com--
dn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G2,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifyadd: memberadd: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com--
dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifydelete: memberdelete: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com--
dn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comdn: CN=G3,OU=Groups,OU=Boys&Girls,DC=rep1,DC=example,DC=comchangetype: modifychangetype: modifyadd: memberadd: membermember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=commember: CN=Dick,OU=TheBoys,OU=Boys&Girls,DC=rep1,DC=example,DC=com
39
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
You Must Must Must…You Must Must Must…
Have a tried and tested DR PlanHave a tried and tested DR PlanIt’s too late to workout how to fix it when things It’s too late to workout how to fix it when things have gone wronghave gone wrong
Planned response to failurePlanned response to failure prevents an event turning into a prevents an event turning into a
DISASTERDISASTER
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
So Now we Know the Components Lets Put them All Together to Recover a Forest
So Now we Know the Components Lets Put them All Together to Recover a Forest
41
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Not a Good Day…Not a Good Day…
Loss of forest, throughLoss of forest, throughRogue script, malicious operator, virus…Rogue script, malicious operator, virus…
Who was in control of your Schema and Enterprise Who was in control of your Schema and Enterprise Administrators groups?Administrators groups?
You must know your forestYou must know your forestServer rolesServer roles
All infrastructure role placementsAll infrastructure role placements
Server based applicationsServer based applicationsImpacts on AD and RegistryImpacts on AD and Registry
42
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Time Warp Time Warp
You will be restoring your forest to a time You will be restoring your forest to a time when you know it was goodwhen you know it was good
This will lose all changes since the last backupsThis will lose all changes since the last backups
Will impact applications that are dependant on Will impact applications that are dependant on forest preps forest preps
Server based applications may be affected by Server based applications may be affected by restoring an earlier registryrestoring an earlier registry
May impact Access Control Lists on May impact Access Control Lists on resourcesresources
43
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Latestbackups
Maintaining IntegrityMaintaining Integrity
Restore only one DC per Restore only one DC per domaindomain
Locate your backups and test Locate your backups and test their integritytheir integrity
You should be backing up two DC You should be backing up two DC per domain and “know” the per domain and “know” the backups are goodbackups are good
Promote the other servers Promote the other servers into the domaininto the domain
Even if you have backups for Even if you have backups for themthem
This will involve more time, but This will involve more time, but reduces the risk of introducing reduces the risk of introducing corrupt datacorrupt data
44
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Restore the RootRestore the Root
Before you start, shutdown all other Before you start, shutdown all other servers and isolate the DC to be restored servers and isolate the DC to be restored from the networkfrom the network
There is a danger that live servers could There is a danger that live servers could replicate and corrupt datareplicate and corrupt data
RestoreGood backup
(sysvol primary)Check data integrity
DNSRemove all references
to other servers
If GCdisable
Delete metadataFor all other DCs
in the domain
Enable as GC Perform thoroughhealth check &
backup
ElevateRID pool /clean ACLs
Seize allFSMOs
45
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Restoring Other DomainsRestoring Other Domains
Proceed using the same technique for all Proceed using the same technique for all the other domainsthe other domains
Make sure DCs have access to forest DNSMake sure DCs have access to forest DNS
Force synchronization between domainsForce synchronization between domains
Start promoting other DCsStart promoting other DCsOnce the forest infrastructure is established Once the forest infrastructure is established and its integrity verifiedand its integrity verified
If necessary, use an unattend file with dcpromo If necessary, use an unattend file with dcpromo to force the initial replication partnerto force the initial replication partner
Use Windows 2003 install from media (IFM)Use Windows 2003 install from media (IFM)Always test the IFM seed before use in production Always test the IFM seed before use in production
46
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Post RestorePost Restore
Redistribute FSMO roles Redistribute FSMO roles
Establish correct DNS infrastructureEstablish correct DNS infrastructure
Review all processes and proceduresReview all processes and procedures
Decide you will never let this happen Decide you will never let this happen again!again!
47
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
And There is More…And There is More…
Order on the web www.kimberry.co.uk Order on the web www.kimberry.co.uk Discount code KB1764 (15% discount)Discount code KB1764 (15% discount)
48
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
ResourcesResourcesForest Recovery Whitepaper:http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA5A79-C99B-4DF9-823C-933FEBA08CFE
Windows Server 2003 Operation Guide:http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/adpog1.mspx
Windows Server 2003 SP1 authoritative restore help:http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/690730c7-83ce-4475-b9b4-46f76c9c7c90.mspx
How to force demote a DC:http://support.microsoft.com/default.aspx?scid=kb;en-us;332199
Group Policy Administration using GPMC:http://download.microsoft.com/download/a/9/c/a9c0f2b8-4803-4d63-8c32-3040d76aa98d/GPMC_Administering.doc
49
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.ukwww.kimberry.co.uk
Thanks for coming to the seminarHope to see you again
ResourcesResourcesTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet
Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Technical Community Siteshttp://www.microsoft.com/communities/default.mspx
User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx
Live from Tech·Ed Webcast Live from Tech·Ed Webcast Series has Been Series has Been
Brought to You by:Brought to You by:
www.microsoft.com/hpc www.microsoft.com/hpc
Fill out a session Fill out a session evaluation on evaluation on
CommNet andCommNet and Win an XBOX Win an XBOX
360!360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.