Tuesday, November 20, 2007 11:39 PM
Jorge
Are you using at least 1 W2K3 SP1 DC in your AD domains?
During one of the AD Q&A sessions at TechED IT Forum I was kind of surprised that people did not know about a simple "save you're a$$ method" when recovery of objects was needed and especially those objects that contain back-links.
The recovery of objects is explained in MS-KBQ840001
Basically it is a PITA to recover deleted objects when having:
- Windows 2000 AD. "Linked Value Replication" is not supported.
- Windows 2003 AD (no SP1 or higher DCs) at a lower FFL than "Windows Server 2003". "Linked Value Replication" is not supported.
- Windows 2003 AD (no SP1 or higher DCs) at the FFL "Windows Server 2003". "Linked Value Replication" is not supported/available during recovery of objects with linked attributes (e.g. member/memberOf) where the link was established before configuring FFL "Windows Server 2003". "Linked Value Replication" is supported/available during recovery of objects with linked attributes (e.g. member/memberOf) where the link was established after configuring FFL "Windows Server 2003".
For all scenarios it is even more difficult when in a multi-domain AD forest. For the last situation it would help (ONLY for recovery purposes of those objects) to retrieve the list of values in linked attributes, clean them and write them back. This would make "Linked Value Replication" being supported/available during recovery of objects with linked attributes (e.g. member/memberOf).
To make recovery of objects with linked attributes a lot easier in the scenarios mentioned above, it suffices to introduce at least ONE W2K3 SP1 DC (or higher). Why? The reason is that W2K3 SP1 DCs (and higher) produce LDIF files and a TXT when objects are authoritatively restored with NTDSUTIL if those objects contain back-link attributes with values. The LDIF files can be imported after the DC has been rebooted into normal mode and the TXT can be used to create LDIF files on other W2K3 SP1 DCs (or higher) from other AD domains if you have a multi-domain AD forest.
So, if you are in of the scenarios mentioned above and you want to make recovery of objects a lot easier make sure to introduce at least a W2K3 SP1 DC (or higher) that is also a GC in each AD domain in the AD forest. If you still have a W2K AD, you need to extend the AD schema first. For that check out "What information is available when UPGRADING from W2K/E2K to W2K3(R2)/E2K3".
Cheers,
Jorge
--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------