Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2007-11-20) Are You Using At Least 1 W2K3 SP1 DC In Your AD Domains?

Posted by Jorge on 2007-11-20


During one of the AD Q&A sessions at TechED IT Forum I was kind of surprised that people did not know about a simple "save you’re a$$ method" when recovery of objects was needed and especially those objects that contain back-links.

The recovery of objects is explained in MS-KBQ840001

Basically it is a PITA to recover deleted objects when having:

  • Windows 2000 AD. "Linked Value Replication" is not supported.
  • Windows 2003 AD (no SP1 or higher DCs) at a lower FFL than "Windows Server 2003". "Linked Value Replication" is not supported.
  • Windows 2003 AD (no SP1 or higher DCs) at the FFL "Windows Server 2003". "Linked Value Replication" is not supported/available during recovery of objects with linked attributes (e.g. member/memberOf) where the link was established before configuring FFL "Windows Server 2003". "Linked Value Replication" is supported/available during recovery of objects with linked attributes (e.g. member/memberOf) where the link was established after configuring FFL "Windows Server 2003".

For all scenarios it is even more difficult when in a multi-domain AD forest. For the last situation it would help (ONLY for recovery purposes of those objects) to retrieve the list of values in linked attributes, clean them and write them back. This would make "Linked Value Replication" being supported/available during recovery of objects with linked attributes (e.g. member/memberOf).

To make recovery of objects with linked attributes a lot easier in the scenarios mentioned above, it suffices to introduce at least ONE W2K3 SP1 DC (or higher). Why? The reason is that W2K3 SP1 DCs (and higher) produce LDIF files and a TXT when objects are authoritatively restored with NTDSUTIL if those objects contain back-link attributes with values. The LDIF files can be imported after the DC has been rebooted into normal mode and the TXT can be used to create LDIF files on other W2K3 SP1 DCs (or higher) from other AD domains if you have a multi-domain AD forest.

So, if you are in of the scenarios mentioned above and you want to make recovery of objects a lot easier make sure to introduce at least a W2K3 SP1 DC (or higher) that is also a GC in each AD domain in the AD forest. If you still have a W2K AD, you need to extend the AD schema first. For that check out "What Information Is Available When UPGRADING From W2K/E2K To W2K3 (R2)/E2K3?".

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: