Replication and Disaster Recovery

[Kerseub]

Hi everyone, I'm working on Active Directory Disaster Recovery scenario
for my company.
If I use a basic ntdsutil restore Database, objects created beetween the
last backup and the restauration are not deleted.
I would like to know if there is a way to restore a whole Domain (based
on several DC), whitout shutting down them for a while, deleting objects
created after the last backup.

I red some white paper about that, they explain that we have to shut
every DC,restore each of them, then put replication back. Is it really
the only way?

Thanks for comments

Romain KEIRSEBILCK

 

[Herb Martin]

Hi everyone, I'm working on Active Directory Disaster Recovery scenario
for my company.
If I use a basic ntdsutil restore Database, objects created beetween the
last backup and the restauration are not deleted.

Because they don't exist on the backup.


Note that NTDSUtil is only for AUTHORITATIVE restore and
had nothing to do with most disaster recovery.

I would like to know if there is a way to restore a whole Domain (based on
several DC), whitout shutting down them for a while, deleting objects
created after the last backup.

I red some white paper about that, they explain that we have to shut every
DC,restore each of them, then put replication back. Is it really the only
way?

What's the real purpose here?

Disaster recovery is about restoring after you lose data, not
getting rid of data you purposely created.

 

[Kerseub]

Well the purpose is to repair as quick a possible my Forest in a (really
unprobably )case where an attack or a virus filled my AD with unwanted
objects, making really so heavy damages, that a restauration would be
the best way to recover, not only a kind a request cleaning from the
date of creation.

I know that such a case would never happen, but my company really wish
to be ready, you know just in case where....



Herb Martin a écrit :

 

[Herb Martin]

Well the purpose is to repair as quick a possible my Forest in a (really
unprobably )case where an attack or a virus filled my AD with unwanted
objects, making really so heavy damages, that a restauration would be the
best way to recover, not only a kind a request cleaning from the date of
creation.

I know that such a case would never happen, but my company really wish to
be ready, you know just in case where....

Since it is hypothetical, then (test if you must and) write this up:

1) DCPromo one DC to non-DC (preferably the one with the master
roles and for which you have a backup).

2) Take all other DCs offline

3) Restore system state to online DC-to-be (#1) from backup

4) Test and seize any missing roles

5) DCPromo all offline DCs (forceremove if necessary)

6) Bring old DCs online and DCPromo them back to DC

7) Check DNS, run DCDiag etc.

Also consider that if you company is this concerned they
really should be running Win2003 and you should be making
Automatic System Recovery backups too.

(If you test, I would only go through #4 and actually do this
with an OFFLINE DC while leaving the real ones online for
testing -- opposite to what you would do in a real situation.)

 

[Jorge de Almeida Pinto [MVP - DS]]

follow the white paper about forest recovery.... use that as a basis for yur
own procedures

IMHO....NEVER use "restore database"!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Kerseub]

Thanks for all your comments, folks.


Herb Martin a écrit :