AD - disaster recovery

[Ziek]

Question:

If I am testing tape restore of AD into an isolated environment, where I
will also restore clients/member servers,etc.. I have only one domain in
the forest.

Do I necessarily have to seize all the FSMO roles onto the one DC that I
decide to restore for this forest?

Do I have to increase the RID pool, as the forest recovery documenation
states?

And, how necessary is it to clean up metadata for DC's that I am not
restoring, since the test is to simply restore one DC, and verify that
users/clients/servers still function in the forest...

 

[ptwilliams]

Do I necessarily have to seize all the FSMO roles onto the one DC that I

decide to restore for this forest?

If you wish to run this test environment, it would be a good idea to seize
the FSMOs. You must also have this DC set as a GC and a DNS server. If
this is a long term test, you may want to do a metadata cleanup of the other
DCs (in the live environment).

Do I have to increase the RID pool, as the forest recovery documenation
states?

You don't have to, but might as well as there's a slight security hole with
restoring an old RID master.

And, how necessary is it to clean up metadata for DC's that I am not
restoring, since the test is to simply restore one DC, and verify that
users/clients/servers still function in the forest...

If you don't want the KCC complaining every 15 minutes and overloading your
event log then do this ;-)

Personally, for completeness and neatness, I would do this!

 

[Ziek]

Thanks Paul,

If this DC that we are restoroing in an isoloated environment will have a
new IP address, will this affect anything? Are there any extra steps that
should be performed to so that this DC can in fact use a new IP address,
since the isolated environment is to have different IP's assisgned to the
clients as a safetely measure to avoid any communication to production...

 

[Guest]

You'll need to make sure that this machine registers itself in DNS with the
new IP details --it should do this on startup, but is best done again
manually to be sure.

Ensure it points to itself and is listening on all IP addresses -not
specifically the old address (configured in DNS properties).

 

[Ziek]

Thanks again Paul.

One more q:

Lets say that the client would like to keep this DC in the DR site, and just
have it there all time doing testing and stuff. The client would also like
this DC to be kept up to date, therefore , if any major changes occur to the
directory in production, they would like the DC in DR to be "refreshed" with
the changes.

Does this necessitate doing a restore everytime I need to update the DC ?
Is there any easier way to manage changes in such a weird situation?

 

[Ziek]

btw, if i'm only restoring this one DC, do I even need to bother with
forcing an authoritative restore through ntdsutil? there will be no other
DCs restored, so seems like a waste..

 

[Ziek]

when doing a disaster recovery like this is it better to install a server
with the same name, then, before even dcpromo'ing, just reboot into
directory services restore mode, and restore the AD..

or is it better to first dcpromo, then boot into directory services restore
mode,and restore?

 

[ptwilliams]

You don't promote --ever! You just use the same name.

 

[ptwilliams]

There's no need to mark as authorative as there are no replication partners.

 

[ptwilliams]

It does, unless you are able to synchronise the two environments. I don't
know if this is possible, but it might be worth trying IIFP. I can't say if
this will work though, as the two are in fact the same.

This could be something to test though...

 

[Ziek]

why not promote?

I found that if I just install server with the same name and boot into
directory services restore mode, the restore will complete, but open reboot,
I have too many errors to list, including sysvol, frs, everything... I
basically don't have a functioning domain.

If I had dcpromo'd the new box first, and then booted into directory
services restore mode to do a restore, I don't get these problems..

 

[ptwilliams]

why not promote?

Because you are creating a DC and then destroying it (by restoring the
original) and not cleaning up after you.

I found that if I just install server with the same name and boot into
directory services restore mode, the restore will complete, but open
reboot, I have too many errors to list, including sysvol, frs,
everything... I basically don't have a functioning domain.

Are you restoring the full backup? You will sometimes get errors. You have
to work through them. They're likely name resolution issues. If only it
was that easy, eh...

If I had dcpromo'd the new box first, and then booted into directory
services restore mode to do a restore, I don't get these problems..

Then one has to ask what else you are doing differently? I'd assume the
restore changes the TCP/IP settings. Change them back...