none
Cannot create object - The directory service was unable to allocate a relative identifier

    Question

  • We are in the process of creating our AD DR env of our PROD env on a separate subnet as we don't want the DR env to talk to the PROD env.

    PROD Env: Forest functional level is W2k3 and all DC's are w2k3 and are all Vmware VM's.

    We have created a DR env on another subnet with similar umber of VM's for similar number of Dc's in the prod env.

    Next, we restored the ntbackup of the DC in the prod env that had all the roles, except GC, on one of the VM's in the DR env.

    Went into DSRM and restored the backup non-authoritatively.

    Then, before rebooting, set the burflags to D4 to make it the AD DB authoritative.

    Note: We have an internal policy here that specifically asks us to first do non-authoritative restore then use either ntdsutil or via burflags to set to Authoritative.

    Rebooted this VM into normal mode. Then, went into ncpa.cpl to set the DR env IP address'. DNS was set to look at itself as this was the first DC in the domain.

    Then, started DNS server and started Netlogon from paused state.

    Created a new subnet for the site as the DR network is different compared to prod. Now, This first DC is functioning as expected.

    Now, when I try to add a ADC...it gives the following error towards the end of the dcpromo process:

    "The directory service was unable to allocate a relative identifier"

    I tried to first add the VM to the domain...but same error.

    I have gone through the following MS articles to no use as this is a DR site with no connection to the Prod network.

    http://support.microsoft.com/kb/839879 & http://support.microsoft.com/kb/822053

    Would appreciate expert comments on how to proceed...

    Thanks in advance.


    - thestriver

    Thursday, April 12, 2012 5:34 PM

Answers

  • First of all BurFlags registry key is used to perform authoritative or nonauthoritative restores on File Replication Service members of DFS or SYSVOL replica sets and not for the AD authoritative restore.You have to run the authoritative restore command. I'm not sure where you got that information from.

    Ref KB-

    Using the BurFlags registry key to reinitialize File Replication Service replica sets
    http://support.microsoft.com/kb/290762

    How to perform an authoritative restore to a domain controller
    http://support.microsoft.com/kb/241594

    In your case you mentioned that the netogon service was paused on the restored DC, this indicates that the DC is in USN rollback. This condition occurs when a domain controller starts from an Active Directory database that has been incorrectly restored or copied into place. This condition is known as an update sequence number rollback, or USN rollback.

    When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest. Because replication partners believe that they have an up-to-date copy of the Active Directory database.

    Ref KB-

    How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
    http://support.microsoft.com/kb/875495


    In your case you should follow this article to correctly restore the AD backup to a VM

    How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration
    http://support.microsoft.com/kb/263532


     Sachin Gadhave

    View Sachin Gadhave's profile on LinkedIn

    Thursday, April 12, 2012 6:48 PM
  • Hi,

    1. Next, we restored the ntbackup of the DC in the prod env that had all the roles, except GC, on one of the VM's in the DR env.
    This is not a supported way, Active Directory is only aware about the SYSTEM STATE backup. Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration. Also sometimes it does not work on same hardware.
    .
    2. Then, started DNS server and started Netlogon from paused state.
    That means the DC is in USN rollback state, configuring DC by cloning or imaging is not recommended becasue it creates USN roll back.
    How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
    http://support.microsoft.com/kb/875495
    .
    3. Would appreciate expert comments on how to proceed.
    Planning for High Availability: Disaster Recovery Planning
    http://www.windowsnetworking.com/articles_tutorials/High-Availability-Disaster-Recovery-Planning.html

    http://www.datacenterchecklists.com/active-directory-disaster-recovery-plan-drp-strategy-presentation

     


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 1:48 AM
  • Configuring DC either from clone/snapshot/image is not recommended.You can configure DC in virtual environment however care should be taken.For DCs virtualization, not the that it recommended to have at least one physical DC / DNS / GC server that holds all FSMO roles.

    How to Virtualize Active Directory Domain Controllers:
    http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx
    http://blogs.technet.com/b/askds/archive/2010/06/15/how-to-virtualize-active-directory-domain-controllers-part-2.aspx
    http://blogs.technet.com/b/vikasma/archive/2008/07/24/hyper-v-best-practices-quick-tips-2.aspx

    However care should be taken how to restore a Virtualized Domain Controller and prevent USN Rolllback.Refer below link for the same:
    http://sandeshdubey.wordpress.com/2011/10/02/how-to-restore-a-virtualized-domain-controller-and-prevent-usn-rolllback/

    Regarding the DR as already mentioned you can configure ADC and you can tweak the weight and priority of the DC.
    Reference link:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f910fdeb-8e95-4837-a9af-1fdff6c6b332

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by thestriver Friday, April 13, 2012 10:04 AM
    Friday, April 13, 2012 9:17 AM
  • Hello,

    i never said that "...here is correct that virtualization may not be good for Dc's.".

    There is no problem running DCs as VM and use even a complete virtualized environment. Actaully i ahve different domains with full virtualized domain, mixed ones and pure hardware domains and this isn't a problem.

    Important and that is what wqe all state here is the CLONING or working with SNAPSHOTs and then trying to use prodution machines on the cloned domain is a really bad idea and just cloning DCs is NOT supported.

    If you need a lab system use a clone and NEVER reconnect it to a prodcution domain, this is what lots of people do BUT ONLY WITH TEST SERVERS AND CLIENTS to have an option to see what happens BEFORE installing new applications/programs/server roles into the production network.

    -----

    "Then, their SID's were changed with a sid changing utility." The ONLY supported way to handle this is using SYSPREP http://support.microsoft.com/kb/314828 and here are not supported sysprep scenarios listed http://support.microsoft.com/kb/828287

    If the "other" domain is built complete new and the DCs are restored from AD aware backups then you still cannot connect the domains that easy as you think. Basically you have 2 times the same server/computer/user name BUT with DIFFERENT informations, one example are the passwords.

    If you need a DR option use forest recovery as one and have at least one DC in a different location that is DNS/GC but NOT used from any domain machine on the NIC and is replicating with the normal domain to be up to date.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by thestriver Friday, April 13, 2012 10:04 AM
    Friday, April 13, 2012 9:21 AM
  • Hello,

    with the correct available AD aware backup option2 is the way to go. As the lag site article stated it is not recommended to use it, even it will work.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by thestriver Friday, April 13, 2012 10:25 AM
    Friday, April 13, 2012 10:15 AM
  • Reasons for setting this up like this:

    > 1 dc for every all role holder for every domain in only forest: Like I said yesterday, the final scope is to deliver a DR strategy for the customer. So, I have decided to incorporate both Lag site and Backup as part of DRP. Lag site would be used for all cases like forest/domain/child outage scenarios. Also, may be used for dns/sysvol/gpo/leaf deletion/corrupt cases as well, if backups from tape turn awry.

    TSM backups will only be used to recover dns/sysvol/gpo/leaf deletion/corrupt cases, if it is found the issue has indeed replicated to the lag sites as well.

    I personally feel, since we have to use TSM (Cx reqmt) for Backup and recovery purposes, and since I have had some very bitter experiences with forest/domain/child recovery using TSM backups, the idea to have a Lag site to recover in extreme cases of disaster like natural calamity, would be far better than using backups, that too TSM's even though they claim to be Ad-aware.

    So since, in our scenario, Lag sites would be used only when there is natural calamity, I have therefore set the replication latency for the max. possible 7 days, as a lower number is not required when daily backups will already be running.

    Outbound replication was disabled from all Lag DC's to prevent testing or invalid data getting into Prod env.

    Other points are self explanatory. Thanks!


    - thestriver

    • Marked as answer by thestriver Wednesday, May 16, 2012 12:36 PM
    Saturday, April 14, 2012 7:30 PM

All replies

  • Or any other approach to create the DR env. Main point is the DR env should not talk with the Prod env at all. Thanks!

    - thestriver

    Thursday, April 12, 2012 5:38 PM
  • First of all BurFlags registry key is used to perform authoritative or nonauthoritative restores on File Replication Service members of DFS or SYSVOL replica sets and not for the AD authoritative restore.You have to run the authoritative restore command. I'm not sure where you got that information from.

    Ref KB-

    Using the BurFlags registry key to reinitialize File Replication Service replica sets
    http://support.microsoft.com/kb/290762

    How to perform an authoritative restore to a domain controller
    http://support.microsoft.com/kb/241594

    In your case you mentioned that the netogon service was paused on the restored DC, this indicates that the DC is in USN rollback. This condition occurs when a domain controller starts from an Active Directory database that has been incorrectly restored or copied into place. This condition is known as an update sequence number rollback, or USN rollback.

    When a USN rollback occurs, modifications to objects and attributes that occur on one domain controller do not replicate to other domain controllers in the forest. Because replication partners believe that they have an up-to-date copy of the Active Directory database.

    Ref KB-

    How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
    http://support.microsoft.com/kb/875495


    In your case you should follow this article to correctly restore the AD backup to a VM

    How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration
    http://support.microsoft.com/kb/263532


     Sachin Gadhave

    View Sachin Gadhave's profile on LinkedIn

    Thursday, April 12, 2012 6:48 PM
  • Thanks, Sachin. Forgot to mention it in prev post. I had tried to restore database using ntdsutil, however, it came up with an error and did not restore the DB authoritatively. I will retry and post the error message. Thanks again.

    - thestriver

    Thursday, April 12, 2012 7:26 PM
  • Hello,

    even a DR system requires connectivity to the domain at least in between the tombstone lifetime for synchronization and basically should be connected as normal DCs. For restore from objects you still have to use AD aware backups, so no clones/images/snapshots.

    "Next, we restored the ntbackup of the DC in the prod env that had all the roles, except GC, on one of the VM's in the DR env. Went into DSRM and restored the backup non-authoritatively. "

    What you have created according to the description is NOT a DR site this is a clone from the production domain and should NEVER be connected with the production domain.

    For forest recovery see: http://www.microsoft.com/download/en/details.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3a+MicrosoftDownloadCenter+(Microsoft+Download+Center)&id=16506 and http://blogs.technet.com/b/instan/archive/2008/11/07/dude-where-s-my-forest-root.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, April 12, 2012 9:09 PM
  • Hi,

    1. Next, we restored the ntbackup of the DC in the prod env that had all the roles, except GC, on one of the VM's in the DR env.
    This is not a supported way, Active Directory is only aware about the SYSTEM STATE backup. Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration. Also sometimes it does not work on same hardware.
    .
    2. Then, started DNS server and started Netlogon from paused state.
    That means the DC is in USN rollback state, configuring DC by cloning or imaging is not recommended becasue it creates USN roll back.
    How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
    http://support.microsoft.com/kb/875495
    .
    3. Would appreciate expert comments on how to proceed.
    Planning for High Availability: Disaster Recovery Planning
    http://www.windowsnetworking.com/articles_tutorials/High-Availability-Disaster-Recovery-Planning.html

    http://www.datacenterchecklists.com/active-directory-disaster-recovery-plan-drp-strategy-presentation

     


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 1:48 AM
  • Thanks. That is precisely the point - "DR site this is a clone from the production domain and should NEVER be connected with the production domain". Actually, the requirement is to have the production env up and running on another subnet...in this case called the DR env. And this should be achieved not by replication but by latest good ntbackup's only. Like mimicking a scenario where all DC's in the forest has got corrupted beyond repair and the hardware also has got damaged. Something like a natural calamity.

    What would be the approach in such case? Thanks for your assistance thus far...


    - thestriver

    Friday, April 13, 2012 7:49 AM
  • Thanks. That is precisely the point - "DR site this is a clone from the production domain and should NEVER be connected with the production domain". Actually, the requirement is to have the production env up and running on another subnet...in this case called the DR env. And this should be achieved not by replication but by latest good ntbackup's only. Like mimicking a scenario where all DC's in the forest has got corrupted beyond repair and the hardware also has got damaged. Something like a natural calamity.

    What would be the approach in such case? Thanks for your assistance thus far...


    - thestriver

    Hello,

    this requires a foresst recovery procedure as outlined in the documents in the link posted earlier.

    You cannot have the cloned domain running and just switch the computers in the worst case to this one, user and machine password asre not updated as one example. Secure channels will break etc. If you like to use the cloned environment you have to move all clients into workgroup, remove them from AD UC and then rejoin to the cloned domain to get them hopefully working.

    But his cannot be done with DCs, Exchange servers or SQL, CA etc. as this systems require a domain and cannot just be brought to workgroup and then join the domain again.

    The cloned environment can be used for TESTING only and as said before NEVER be connected to production.

    If you need a high availability system then think about virtualization and data centers on different locations, where you can mirror important data. Also SQL/Exchange can be used with clustering and still some more systems. For DCs clustering is NTO recommended.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.



    Friday, April 13, 2012 8:03 AM
  • Thanks. I had restored system state and C drive. These are similar vmware vm's, both on prod and dr, from os, patches, sp, virtual h/w, drivers, the drive sizes are similar or greater, et al.

    What would be the supported way to recreate the prod env in the dr env, from ntbackups only, in virtualized env?


    - thestriver

    Friday, April 13, 2012 8:16 AM
  • Thanks. I had restored system state and C drive. These are similar vmware vm's, both on prod and dr, from os, patches, sp, virtual h/w, drivers, the drive sizes are similar or greater, et al.

    What would be the supported way to recreate the prod env in the dr env, from ntbackups only, in virtualized env?


    - thestriver

    Hello,

    i cannot follow this question as all answer at the moment state don't do it this way as this will result in multiple problems and is also NOT supported.

    Maybe this article helps you http://blogs.technet.com/b/askds/archive/2008/10/20/lag-site-or-hot-site-aka-delayed-replication-for-active-directory-disaster-recovery-support.aspx understanding about.

    Again, in your case please make sure to have AD aware backups and then prepare yourself for forest recovery with the already mentioned documents.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, April 13, 2012 8:28 AM
  • Officially system state backup is not supported on different hardware it is to be used on the same system or similar but seen scenario where it doesn't work on similar system also due to driver version difference.

    For DR site I would recommend to install additional Domain Controller(ADC).It could be on physical or virtual as DR server should be sync with production server.

    If you want to make sure that the DR DC is not used for authentication unless the first one fails, you can tweak the weight and priority of the DC. http://technet.microsoft.com/en-us/library/cc737541%28WS.10%29.aspx has some instructions on how to do this.

    Reference link:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f910fdeb-8e95-4837-a9af-1fdff6c6b332


    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, April 13, 2012 8:40 AM
  • Thanks. That is precisely the point - "DR site this is a clone from the production domain and should NEVER be connected with the production domain". Actually, the requirement is to have the production env up and running on another subnet...in this case called the DR env. And this should be achieved not by replication but by latest good ntbackup's only. Like mimicking a scenario where all DC's in the forest has got corrupted beyond repair and the hardware also has got damaged. Something like a natural calamity.

    What would be the approach in such case? Thanks for your assistance thus far...


    - thestriver


    Such approach with active directory domains is not possible, as a domain consists of many dynamic tangible mechanisms like machine account passwords, SID, GUID, USN etc. These components are linked and inter-reliant therefore what you are trying to achieve as part of your DR strategy is practically impossible. You can’t take a holistic approach You can restore a domain controller to a max and do testing on that however you cannot switch to that DC when your prod DC crashes. There are several modules that would malfunction in such case.

    The suggested way would be to build a DR/Test domain running parallel to the production domain with similar settings and configs as your prod domain. This way you can reproduce your scenarios in the test domain. But this too has limitations, you won't have any failover capabilities as Meinolf said. This is by design. Server roles such as SQL, DC, Exchange etc. cannot be switched another domain without rebuilding them, you can't just disjoin and re-join those servers. 

    You should follow more granular approach an strategizing your DR plan. Divide things in pieces and build your plan around them e.g. to protect your domain you should promote additional DC’s, for SQL server you can build a failover cluster..


     Sachin Gadhave

    View Sachin Gadhave's profile on LinkedIn

    Friday, April 13, 2012 8:51 AM
  • Thanks for the replies, Meinolf and for the patience. Thank you.

    Everyone here is correct that virtualization may not be good for Dc's. But I joined here recently and they have their prod Dc's on vmware vm's. They will not even hear me out if I start to talk physical DC's upgrade.

    So here are some more points:

    The prod env is vmware vm's. This means all DC's in all domains and forests are VM's.

    The dr env is also the same. I checked, the DR vm's are not cloned/snapshot. The dr VM's were created from a standard template we use here.  Then, their SID's were changed with a sid changing utility.

    I have been following the procedures for forest recovery per doc downloaded from MS.

    The backups were taken using ntbackup and they are the latest. ntbackups are ad aware as far as I know. Please comment.


    - thestriver

    Friday, April 13, 2012 8:56 AM
  • Configuring DC either from clone/snapshot/image is not recommended.You can configure DC in virtual environment however care should be taken.For DCs virtualization, not the that it recommended to have at least one physical DC / DNS / GC server that holds all FSMO roles.

    How to Virtualize Active Directory Domain Controllers:
    http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx
    http://blogs.technet.com/b/askds/archive/2010/06/15/how-to-virtualize-active-directory-domain-controllers-part-2.aspx
    http://blogs.technet.com/b/vikasma/archive/2008/07/24/hyper-v-best-practices-quick-tips-2.aspx

    However care should be taken how to restore a Virtualized Domain Controller and prevent USN Rolllback.Refer below link for the same:
    http://sandeshdubey.wordpress.com/2011/10/02/how-to-restore-a-virtualized-domain-controller-and-prevent-usn-rolllback/

    Regarding the DR as already mentioned you can configure ADC and you can tweak the weight and priority of the DC.
    Reference link:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f910fdeb-8e95-4837-a9af-1fdff6c6b332

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by thestriver Friday, April 13, 2012 10:04 AM
    Friday, April 13, 2012 9:17 AM
  • Hello,

    i never said that "...here is correct that virtualization may not be good for Dc's.".

    There is no problem running DCs as VM and use even a complete virtualized environment. Actaully i ahve different domains with full virtualized domain, mixed ones and pure hardware domains and this isn't a problem.

    Important and that is what wqe all state here is the CLONING or working with SNAPSHOTs and then trying to use prodution machines on the cloned domain is a really bad idea and just cloning DCs is NOT supported.

    If you need a lab system use a clone and NEVER reconnect it to a prodcution domain, this is what lots of people do BUT ONLY WITH TEST SERVERS AND CLIENTS to have an option to see what happens BEFORE installing new applications/programs/server roles into the production network.

    -----

    "Then, their SID's were changed with a sid changing utility." The ONLY supported way to handle this is using SYSPREP http://support.microsoft.com/kb/314828 and here are not supported sysprep scenarios listed http://support.microsoft.com/kb/828287

    If the "other" domain is built complete new and the DCs are restored from AD aware backups then you still cannot connect the domains that easy as you think. Basically you have 2 times the same server/computer/user name BUT with DIFFERENT informations, one example are the passwords.

    If you need a DR option use forest recovery as one and have at least one DC in a different location that is DNS/GC but NOT used from any domain machine on the NIC and is replicating with the normal domain to be up to date.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by thestriver Friday, April 13, 2012 10:04 AM
    Friday, April 13, 2012 9:21 AM
  • Thanks everybody. I have to 2 scenarios now:

    1) Lag site looks like a good option at this point, also the option of keeping a remote dc and not pointing clients to it.

    2) So my obvious question is: In a scenario where owing to natural calamity physical damages have happened and nothing could be salvaged, Can I follow the forest recovery doc from MS completely. I mean, so do I still have to reset krtgb pwd, cleanup metadata, reset trust pwd, assuming other points in the document being followed to the dot; as recovery will take place on different h/w systems.

    Which scenario is the better one, in such a natural calamity?


    - thestriver

    Friday, April 13, 2012 9:48 AM
  • Hello,

    with the correct available AD aware backup option2 is the way to go. As the lag site article stated it is not recommended to use it, even it will work.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    • Marked as answer by thestriver Friday, April 13, 2012 10:25 AM
    Friday, April 13, 2012 10:15 AM
  • Well...since ours is a virtualized forest...I think I will create a drp with both points included. Daily ad aware backups and 7 day lag dr sites for every one DC in each domain in the forest. And we can afford the lag sites cost-wise as these are vm's.

    I will post few days later when we start the activity, if I face further issues.

    Thanks a lot, Gentlemen. Have a good day ahead...


    - thestriver

    Friday, April 13, 2012 10:23 AM
  • Just thought of adding this: lag sites is being thought to be used for scenarios where there could be forest/domain/child domain outages. The ad aware backups is being thought to be used for object deletions, dns corrupt, gpo, sysvol issues.

    So, both has its place in the drp for a multi-site forest config. Was wondering though if replication can be stopped in lag site, by stopping the kdc and netlogon service. How can I prevent users from logging in using the lag site DC's? Any kb articles that talks about this.

    Thanks in advance.


    - thestriver

    Friday, April 13, 2012 11:11 AM
  • Hi,

    I would not recommend to stop the replication by any way, Is there any reason? 

    For the authentication: do not set DNS pointing on domain members to lag site DC and check below article, how to control the client authentication requests that are processed by the PDC emulator.
    |
    MS article: http://technet.microsoft.com/en-us/library/cc737541%28WS.10%29.aspx


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, April 14, 2012 5:06 AM
  • Hello,

    you can work with server weights and priorities for the DNS settings and exclude the lag site DCs complete from the provided DNS servers on domain members NICs.

    http://technet.microsoft.com/en-us/library/cc778225(v=ws.10).aspx and http://technet.microsoft.com/en-us/library/cc781155(v=ws.10).aspx

    Do not stop replication between DCs, if for whatever reason you forget to enable it inside the tombstone lifetime you have to demote and promote them again to have them correct in sync again.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, April 14, 2012 11:04 AM
  • First of all I would not recommend to stop replication between main site and DR site DC as already mentioned if you dont the DR server side for user authentication unless and until the main site DC goes down you can tweak the weight and priority of the DC.

    Reference link:http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/f910fdeb-8e95-4837-a9af-1fdff6c6b332

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.



    Saturday, April 14, 2012 2:42 PM
  • Thanks, Gents.

    I was creating the lag/dr site all night and today as well. So was a bit engrossed. Following is the run down:

    > Have created lag site with 1 dc for every 1 all role holder dc (except GC) in each domain of our only forest.

    > Set schedule of replication between Lag site and Prod site once every 7 days, every Sunday at 12 midnight.

    > Disabled outbound replication from Lag DC's using Repadmin.

    > Paused Netlogon service on Lag DC's to prevent users logging in using them.

    > Re-Scheduled backup of SystemState and C drive for every day midnight using TSM to tape library on the network.

    Questions:

    > Is this setup supported and good for a multi-site setup?

    > Is TSM a good backup product for AD backup and restore? Any known issues?

    Thanks!


    - thestriver

    Saturday, April 14, 2012 7:12 PM
  • Reasons for setting this up like this:

    > 1 dc for every all role holder for every domain in only forest: Like I said yesterday, the final scope is to deliver a DR strategy for the customer. So, I have decided to incorporate both Lag site and Backup as part of DRP. Lag site would be used for all cases like forest/domain/child outage scenarios. Also, may be used for dns/sysvol/gpo/leaf deletion/corrupt cases as well, if backups from tape turn awry.

    TSM backups will only be used to recover dns/sysvol/gpo/leaf deletion/corrupt cases, if it is found the issue has indeed replicated to the lag sites as well.

    I personally feel, since we have to use TSM (Cx reqmt) for Backup and recovery purposes, and since I have had some very bitter experiences with forest/domain/child recovery using TSM backups, the idea to have a Lag site to recover in extreme cases of disaster like natural calamity, would be far better than using backups, that too TSM's even though they claim to be Ad-aware.

    So since, in our scenario, Lag sites would be used only when there is natural calamity, I have therefore set the replication latency for the max. possible 7 days, as a lower number is not required when daily backups will already be running.

    Outbound replication was disabled from all Lag DC's to prevent testing or invalid data getting into Prod env.

    Other points are self explanatory. Thanks!


    - thestriver

    • Marked as answer by thestriver Wednesday, May 16, 2012 12:36 PM
    Saturday, April 14, 2012 7:30 PM