Restoring an OU question? Did I answer this correctly?

[stark107]

I recently had to answer a question on a test that I'm not sure I
answered very well. The question stated that an OU had been
accidentally deleted and I was to list/explain how to recover from this
situation but to take into account certain criteria. Namely, there
should no data loss, the users could live with the current situation
for 24 hours and the Kerberos Distribution Center unavailability should
be minimal.

I answered that an authoritative restore of the OU should be performed
(stopping the KDC first) and replication forced as soon as the restore
was completed. I can't help thinking the answer should have been more
exhaustive than that.

What more could I have said?

 

[Jmnts]

you should say that first of all the server needed to be restarted in
Directory services mode, then an nonauthorative restore must be done using
system state backup, then reboot the ser again in Directory services mode
and using the ntdsutil you could mark the OU as authoritative.using the DN
(DistinguishedName) using the sintax:

ntdsutil
authoritative restore
restore subtree DistinguishedName
restore subtree "OU=ou_name,DC=domainname,DC=com
quit (to exit ntdsutil)

 

[stark107]

Yes, I pretty much said that although not quite in so much detail but I
was thrown by the Kerberos thing (not having had a great deal of
experience with it). What was the relevance of the comments that the
KDC availability should be minimised?

 

[Joe Richards [MVP]]

They meant that the DC should be up and running as much as possible.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Herb Martin]

I recently had to answer a question on a test that I'm not sure I
answered very well. The question stated that an OU had been
accidentally deleted and I was to list/explain how to recover from this
situation but to take into account certain criteria. Namely, there
should no data loss, the users could live with the current situation
for 24 hours and the Kerberos Distribution Center unavailability should
be minimal.

I answered that an authoritative restore of the OU should be performed
(stopping the KDC first) and replication forced as soon as the restore
was completed. I can't help thinking the answer should have been more
exhaustive than that.

What more could I have said?

Mostly details (if allowed on an exam).

First, ALL "authoritative restores" BEGIN with a
(so-called) NON-authoritative restore.

In fact, "authoritative restore" is misnamed since it
RESTORES NOTHING -- it merely MARKS the
restored records as being authoritative on the particular
DC so they won't get overwritten/deleted again.

Second, the restores must take place in "Directory
Services Restore mode".

And perhaps, mentioning that NTDSUtil is the tool used
for the authoritative marking of the database.