Q&A from the Active Directory - Disaster Recovery webcast!

  • Article

Hello All,

Here is the Q&A for the Active Directory - Disaster Recovery webcast!

Question: What stands for AD?
Answer: Active Directory

Question: What stands for DC and GC?
Answer: Domain Controller and Global Catalog Server

Question: Is there a way to change which attributes are not stripped from a principle when the principle is deleted in 2003?
Answer: yes --but this requires modification to the a class in the Schema which is generally not recommended

Question: can you show steps to disable inbound replication... show the lower in the directory tree
Answer: this will be demonstrated later but here it is: repadmin /options dc_name +DISABLE_INBOUND_REPL

Question: I ran into this scenario: 2 servers, (1) Windows 2000 SP4, (1) Windows 2003 SP1. 2003 server RAID crashed; Reload Win2003 to get server back up enough to run tape restore, run tape restore w/ system state included, rebooted. Now 2003 server cannot access 2000 server using UNC, get "permission denied". Able to access via \\192.168.1.123\sharename. What happened?
Answer: if you can access the share by IP and not by name then that tells me that Kerberos is not working. Look at anything that would cause Kerberos failures such as time sync issues bad machine account password here is a good link for troubleshooting these issues: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Question: can the 60 day/ 180 days be increased?
Answer: yes, the change needs to be made on the configuration partition via adsiedit 1. In the Adsiedit tool, expand Configuration DomainControllerName, expand CN=Configuration, DC=ForestRootDomain, expand CN=Services, expand CN=Windows NT, right-click CN=Directory Service, and then click Properties. 2. Click the Attribute tab. 3. In the Select which properties to view list, click Optional. 4. In the Select a property to view list, click TombstoneLifetime. 5. In the Edit Attribute box, type the number of days that you want to set it to, click Set, and then click OK. Just don't decrease the value ---if you set it too low you will run into problem with Lingering Objects

Question: but if it is a fresh 2003 install, then lvr is enabled by default?
Answer: Not until you go into native mode and 2003 forest functional mode, then after that LVR is enabled on new objects or on existing objects when it is mdoified

Question: my forrest is upgraded, how to make my groups LVR?
Answer: You will need to be at Windows Server 2003 Forest functional mode --see: https://support.microsoft.com/kb/322692

Question: Does the restore process with Windows Backup work the same with Veritas Backup Exec?
Answer: It is very similiar but I would recommend going to their site and walking through their article to ensure nothing has changed. Some screens are different. They do have a published article.

Question: How do I check system state is current?
Answer: repadmin.exe /showbackup dc_name Check out this informative post on that command: https://blogs.msdn.com/brettsh/archive/2006/02/09/528708.aspx

To watch the on-demand webcast, please visit: https://www.msusapartnerreadiness.com/WS_abstract.asp?eid=15004864

Thanks,

BoB