2008 AD restore

Discussion in 'Active Directory' started by skip, Feb 3, 2009.

  1. Last week some destroyed an OU that contained access to all the groups
    controlling access to our SAN. Once discovered 15 minutes and they were all
    back. Would have been quicker but I got paranoid and booted into DSRM, even
    though I shouldn't have needed it (At least I can't understand why). I read
    something from Gil stating you need to so I thought until I understand I
    best not take any chances. I have since taken the time and set ALL ou's to
    "Prevent Accidental OU Deletion" via the option on the new gui. I should
    have set that a while back, but I didn't have the new tools and was to lazy
    to go back and remember how to do it w/o it.




    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Feb 6, 2009
    #21
    1. Advertisements

  2. I'm missing the point here....Are you saying you experienced a mass deletion
    and you used the lag site DC or another DC that still had not received the
    deletion?

    Both the DC in that case did not receive the deletion and the only way to
    make the deletion is NOT processed by DCs that have not received it yet, is
    to increase the version of the objects that not been deleted yet.... and
    that is ALWAYS done by booting into DSRM and using NTDSUTIL to increase the
    version with 100000 (default value)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

     
    Jorge de Almeida Pinto [MVP - DS], Feb 9, 2009
    #22
    1. Advertisements

  3. That is the part I don't get. Yes I had a lag site that didn't get the mass
    deletion, so I rebooted the DC into DSRM to do the authoritative restore.

    Why do I have to be in DSRM to use NTDSUTIL to get the version to increase?
    I realize I'm supposed to I just don't understand why AD is requiring me to
    do this?




    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Feb 10, 2009
    #23
  4. because NTDSUTIL, whether or not you restore the System State, needs to
    access the NTDS.DIT offline. The NTDS.DIT cannot be online. Thinking about
    it a bit more. Because you are not restoring the system state you might as
    well stop the NTDS service, do the NTDSUTIL thing, and start it again.
    Be aware though....DO NOT FORGET TO RECOVER THE BACKLINKS BY IMPORTING THE
    LDF files. If you have multiple domains and those objects have relations in
    other AD domain you need to check those too!. Just auth restoring the
    objects with NTDSUTIL might not be enough (you may have inconsistencies)

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

     
    Jorge de Almeida Pinto [MVP - DS], Feb 11, 2009
    #24
  5. Single domain, single forest.

    I understand backlinks but don't know what the following quote refers to:
    "DO NOT FORGET TO RECOVER THE BACKLINKS BY IMPORTING THE LDF"




    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Feb 13, 2009
    #25
  6. when you use NTDSUTIL to do an auth restore LDFs files are created if
    backlinks exist with values. If the auth restored object has backlinks to
    objects in other AD domains you need to use the TXT that is also created
    when using NTDSUTIL against a DC from each other AD domain. If backlinks
    exist LDF files will be created again

    by having a LAG site it does not mean it is much easier. It is easier
    because you do not have to restore the system state and you use DCs that are
    not used for auth/LDAP/etc.

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

     
    Jorge de Almeida Pinto [MVP - DS], Feb 14, 2009
    #26
  7. Never knew this piece. So where are the ldf files created on the dc I would
    assume.




    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Feb 16, 2009
    #27
  8. Got yah and found 6 objects with backlinks needing to be repaired.

    THX!




    "Jorge de Almeida Pinto [MVP - DS]"
     
    Paul Bergson [MVP-DS], Feb 17, 2009
    #28
  9. the LDF files and the TXT are created in the location where you started
    NTDSUTIL. If you started NTDSUTIL in C:\TEMP, you will find the files in
    there

    This has been there since w2k3 sp1 and the system displays a message after
    executing NTDSUTIL (when doing an auth restore) the files were created

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------

     
    Jorge de Almeida Pinto [MVP - DS], Feb 19, 2009
    #29
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.