Restoring AD Schema Authoritatively

[SKM]

Hi

The MS KB articles often say that authoritative restores of the Schema NC is
not supported.

1.What occurs if I perform an authoritative restore of a complete DB on a
DC? Does that mean the Domain and Configuration NC are authorititive on this
DC and get replicated FROM this DC, and the schema is not, ie. partial
synchronisation occurs TO this DC for any schema changes since the backup
was taken?

2. How then can we restore schema authoritativley? if there is no way to do
that, what do we do if we had schema that is corrupted on all DCs in the
forest?

Thanks

 

[Mike Aubert]

1. Correct, most object atributes in the domain and configuration naming
context are marked as authoritative. Any changes to the schema are then
replicated to the restored domain controller.

2. The only way to restore the schema is to take the domain controllers for
which you have backups off the network, restore those domain controllers
from backup, demote all remaining domain controllers for which you do not
have backups, place the restored domain controllers back on the network, and
then promote any domain controllers that you demoted. However, any changes
made after the backups were taken will be lost.

The odds of the schema NC becoming corrupt on all domain controllers by
itself are slim to none. The major issue is when you are updating the
schema. When you modify the schema, such as when running adprep /forestprep,
it is recommended you take a backup of the schema master and then remove the
schema master from the network. With the schema master off the network you
can then make the schema changes on the schema master. If the schema is
updated successfully you can put the schema master back on the network.
However, if the schema does not update correctly, you can restore the schema
master from backup and then either try the schema modifications again or
forget about it and just put the schema master back on the network.

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[SKM]

Mike

regarding point 2, how can the schema extension be succssful when the schema
master is offline?. By design, we need to contact the schema master to do
the schema update first, which then replicates to the remaining DCs.

 

[Mike Aubert]

You don't have to have it turned off - you just have to unplug the schema
master from the network. Then you run whatever needs to update the schema
(e.g. adprep /forestprep) on the disconnected schema master. When you put
the schema master back on the network the schema changes will replicate to
the other domain controllers.

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Joe Richards [MVP]]

Actually it isn't recommend to remove the schema master from the network
anymore, in fact if you are doing W2K3 forestprep you can run into issues.

The best thing to do is to put the schema master in a separate site with
replication link timing of like 6 days. Do not exceed one week though or
else it will be ignored. When you are ready to replicate you can use
repadmin /sync to do a manual pull into the main DCs.

 

[Mike Aubert]

Hey Joe,

Well, that's the last time I make any recommendation after reading
support.microsoft.com!

Cannot Promote a Windows Server 2003 Domain Controller into a Windows 2000
Forest
http://support.microsoft.com/?id=278875

Step 4: Disconnect the schema master from the network. Do not reestablish
the connection until step 8 in this procedure.

But I did find the KB article that corrects this in Help and Support:

Windows Server 2003 Help Files Contain Incorrect Information About How to
Update a Windows 2000 Domain
http://support.microsoft.com/?id=821076

So, it looks like 278875 needs to be updated....time to email MS.

Mike