| Author | Messages | |
abagnale_lists
Posts:16
 | | 03/03/2006 3:30 AM |
| | Message body was not found. | | | |
| ZJORZ
Posts:389
| | 03/03/2006 3:41 AM |
| well yes....
OR
create subnet definitions of the IP addresses of the
DCs...
Lets say you have 2 DCs in the lag site and 4 in the
"normal" site:
DC01: 10.1.1.1/24
DC02: 10.1.1.2/24
DC03: 10.1.1.3/24
DC04:
10.1.1.4/24
DC05:
10.1.1.5/24
DC06:
10.1.1.6/24
For the DCs in the normal site you create the subnet:
10.1.1.0/24 and assign it to that normal
site
For the DCs in the lag site you create the
"subnets": 10.1.1.1/32 & 10.1.1.2/32 and assign it to that lag
site
jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 16:29To:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for DR
purposes.
Just for clarification purposes, would I need a
separate IP subnet i.e IP subnet that isn't assigned to any other
site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming my
question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| eyes2sky@xxxx.yyy
| | 03/03/2006 3:49 AM |
| Here's a good explanation of the setup.
http://www.windowsitpro.com/Windows/Articles/ArticleID/42932/pg/1/1.html
You are required to some how isolate the delayed servers in
a unique site to control the replication window. The subnet scope can be as
narrow as the ip address of the
DC.
The last setup I used was 2 delayed DCs running on Virtual
Server, each with a 7 day replication lag. This allowed us to restore object
deleted up to 14 days ago.
John Roberts
JLR Technology Solutions
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 10:29 AMTo:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for DR
purposes.
Just for clarification purposes, would I need a
separate IP subnet i.e IP subnet that isn't assigned to any other site
in AD to create this?
All my existing IP Subnets are assigned to existing
Sites which are used for normal replication, so I am assuming my question will
result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| lists1
Posts:6
| | 03/03/2006 4:00 AM |
| As Jorge mentioned you do not have to follow your physical
subnets for Lag-Sites. Usually you would use that as a guideline, but for
lag-sites you can do a sub-subnetting. AD replication does not care about the
physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares
what you have configured in the sites, subnets and what IP the DC is using. So
you can in a 10.1.x.x network you could configure all servers with 10.1.x.x
IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in
one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in
10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask
for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x -
10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication
will do what you wanted it to do, even without the need for
routing.
However - and this was the main reason why I wanted to
follow up on this - remember that one lag-site might not be enough. Imagine you
configure your lag-site to replicate every thursday 6pm. So if someone
makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on
Wednesday and are able to rollback this OU (authoritative restore on the lag
site, then force replication). However if someone deletes a OU on thursday, and
you recognize it on friday (or even thursday 7pm) you have to restore a server
from tape first, because your only lag-site has already replicated that
deletion.
What I prefer is creating two lag-sites, one which
replicates in the middle of the week and one which replicates on the weekend. No
matter when the error will be performed (even right before replication of one of
the lag-sites), we always have a at least half week old copy of the AD
in the one of the Lag-Site. And I've even heard from someone
using seven lag-sites for every day in the week. Perhaps he's jumping into this
thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for DR
purposes.
Just for clarification purposes, would I need a
separate IP subnet i.e IP subnet that isn't assigned to any other
site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming my
question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| AD000001290
Posts:0
| | 03/03/2006 4:02 AM |
| Ideally, you would place the DR DCs in a separate DR
location (for obvious reasons) which would have its own set of subnets
assigned. This approach caters for true DR as well as object recovery from a lag
site.
If not possible, then Jorge's approach will work (although
true DR is not catered for IMO).
Are you trying to design for full DR or just recovery of
objects via a lag site (or both)?
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: 03 March 2006 15:29To:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for DR
purposes.
Just for clarification purposes, would I need a
separate IP subnet i.e IP subnet that isn't assigned to any other site
in AD to create this?
All my existing IP Subnets are assigned to existing
Sites which are used for normal replication, so I am assuming my question will
result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses!PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| ZJORZ
Posts:389
| | 03/03/2006 4:19 AM |
| 7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can
undelete the deleted objects and restore (push back) the
attributes?jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Friday, March 03, 2006 16:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to follow your
physical subnets for Lag-Sites. Usually you would use that as a guideline, but
for lag-sites you can do a sub-subnetting. AD replication does not care about
the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just
cares what you have configured in the sites, subnets and what IP the DC is
using. So you can in a 10.1.x.x network you could configure all servers with
10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all
servers in one lagsite in the same "virtual subnet" 10.1.9.x and all
production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default
gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets
in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to
the lag-site. AD-Replication will do what you wanted it to do, even without
the need for routing.
However - and this was the main reason why I wanted to
follow up on this - remember that one lag-site might not be enough. Imagine
you configure your lag-site to replicate every thursday 6pm. So if
someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.
What I prefer is creating two lag-sites, one which
replicates in the middle of the week and one which replicates on the weekend.
No matter when the error will be performed (even right before replication of
one of the lag-sites), we always have a at least half week old copy of the AD
in the one of the Lag-Site. And I've even heard
from someone using seven lag-sites for every day in the week. Perhaps
he's jumping into this thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for
DR purposes.
Just for clarification purposes, would I need a
separate IP subnet i.e IP subnet that isn't assigned to any other
site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming my
question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| bdesmond
Posts:996
| | 03/03/2006 4:52 AM |
| Pizza boxes are available from Dell for like under 2 grand rack rate most
days, so that™s probably questionable.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: Friday, March 03, 2006 11:17
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag
Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a
solution that can undelete the deleted objects and restore (push back) the
attributes?
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same "virtual
subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x.
Remember that all have the default gateway and subnet mask for 10.1.x.x. But
now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site. AD-Replication will do what you
wanted it to do, even without the need for routing.
However - and this was the main reason
why I wanted to follow up on this - remember that one lag-site might not be
enough. Imagine you configure your lag-site to replicate every thursday
6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.
What I prefer is creating two lag-sites,
one which replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week old
copy of the AD in the one of the Lag-Site. And I've even heard
from someone using seven lag-sites for every day in the week. Perhaps he's
jumping into this thread later ;-)
Gruesse
- Sincerely,
Ulf
B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29
PM
To: Active
Subject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain,
W2K3 FFL
I am thinking about setting up a lag site for DR purposes.
Just for clarification purposes, would I need a separate IP
subnet i.e IP subnet that isn't assigned to any other site in
AD to create this?
All my existing IP Subnets are assigned to existing Sites
which are used for normal replication, so I am assuming my question will result
in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| bdesmond
Posts:996
| | 03/03/2006 4:59 AM |
| You can also just define /32 aka host subnets. So you create Lag Site 1,
and subnet 10.1.2.3 255.255.255.255 (the IP of your lag dc).
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c -
312.731.3132
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 10:59
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same "virtual
subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x.
Remember that all have the default gateway and subnet mask for 10.1.x.x. But
now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site. AD-Replication will do what you
wanted it to do, even without the need for routing.
However - and this was the main reason
why I wanted to follow up on this - remember that one lag-site might not be
enough. Imagine you configure your lag-site to replicate every thursday
6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.
What I prefer is creating two lag-sites,
one which replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week old
copy of the AD in the one of the Lag-Site. And I've even heard
from someone using seven lag-sites for every day in the week. Perhaps he's
jumping into this thread later ;-)
Gruesse
- Sincerely,
Ulf
B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29
PM
To: Active
Subject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain,
W2K3 FFL
I am thinking about setting up a lag site for DR purposes.
Just for clarification purposes, would I need a separate IP
subnet i.e IP subnet that isn't assigned to any other site in
AD to create this?
All my existing IP Subnets are assigned to existing Sites
which are used for normal replication, so I am assuming my question will result
in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| Tony
Posts:152
| | 03/03/2006 7:01 AM |
| I think Rick Kingslan did something like this with virtual
machines. I'll ping him to see if he has any comment.
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Saturday, 4 March 2006 5:17 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can
undelete the deleted objects and restore (push back) the
attributes?jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Friday, March 03, 2006 16:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to follow your
physical subnets for Lag-Sites. Usually you would use that as a guideline, but
for lag-sites you can do a sub-subnetting. AD replication does not care about
the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just
cares what you have configured in the sites, subnets and what IP the DC is
using. So you can in a 10.1.x.x network you could configure all servers with
10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all
servers in one lagsite in the same "virtual subnet" 10.1.9.x and all
production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default
gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets
in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to
the lag-site. AD-Replication will do what you wanted it to do, even without
the need for routing.
However - and this was the main reason why I wanted to
follow up on this - remember that one lag-site might not be enough. Imagine
you configure your lag-site to replicate every thursday 6pm. So if
someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.
What I prefer is creating two lag-sites, one which
replicates in the middle of the week and one which replicates on the weekend.
No matter when the error will be performed (even right before replication of
one of the lag-sites), we always have a at least half week old copy of the AD
in the one of the Lag-Site. And I've even heard
from someone using seven lag-sites for every day in the week. Perhaps
he's jumping into this thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for
DR purposes.
Just for clarification purposes, would I need a
separate IP subnet i.e IP subnet that isn't assigned to any other
site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming my
question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| ZJORZ
Posts:389
| | 03/03/2006 7:21 AM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tony Murray
Sent: Fri 2006-03-03 19:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
I think Rick Kingslan did something like this with virtual machines. I'll ping him to see if he has any comment.
Tony
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto, Jorge de
Sent: Saturday, 4 March 2006 5:17 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can undelete the deleted objects and restore (push back) the attributes?
jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
As Jorge mentioned you do not have to follow your physical subnets for Lag-Sites. Usually you would use that as a guideline, but for lag-sites you can do a sub-subnetting. AD replication does not care about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what you have configured in the sites, subnets and what IP the DC is using. So you can in a 10.1.x.x network you could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to do, even without the need for routing.
However - and this was the main reason why I wanted to follow up on this - remember that one lag-site might not be enough. Imagine you configure your lag-site to replicate every thursday 6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and are able to rollback this OU (authoritative restore on the lag site, then force replication). However if someone deletes a OU on thursday, and you recognize it on friday (or even thursday 7pm) you have to restore a server from tape first, because your only lag-site has already replicated that deletion.
What I prefer is creating two lag-sites, one which replicates in the middle of the week and one which replicates on the weekend. No matter when the error will be performed (even right before replication of one of the lag-sites), we always have a at least half week old copy of the AD in the one of the Lag-Site. And I've even heard from someone using seven lag-sites for every day in the week. Perhaps he's jumping into this thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29 PM
To: Active
Subject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for DR purposes.
Just for clarification purposes, would I need a separate IP subnet i.e IP subnet that isn't assigned to any other site in AD to create this?
All my existing IP Subnets are assigned to existing Sites which are used for normal replication, so I am assuming my question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
________________________________
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
> | | | |
| davidadner
Posts:0
| | 03/03/2006 7:49 AM |
| _____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, March 03, 2006 1:20 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
When talking about "a software solution to restore deleted objects" I know
about:
Netpro's RestoreADmin
Quest's Recovery Manage for AD
I don't know the price of both products (I guess per managed object or
something like that) but I would be interested in knowing where the break
even point is compared to a hardware solution.
And for a hardware solution you can use:
* just hardware, where you need at least 1 DC per domain in the lag site
(for each day of the week that would be 7 DCs per domain) (not forgetting
licensing for the server OS)
* hardware combined with software (e.g. ESX/GSX or virtual server) (not
forgetting licensing for the server OS and the the virtual solution)
I'm very interested in hearing what folks have chosen and how much it costs
and of course why that particular solution. Of course don't forget to
mention the type of environment and size
but let's start by pinging Rick...
ping rick.kingslan.microsoft
;-)
jorge
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Tony Murray
Sent: Fri 2006-03-03 19:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
I think Rick Kingslan did something like this with virtual machines. I'll
ping him to see if he has any comment.
Tony
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge de
Sent: Saturday, 4 March 2006 5:17 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can undelete the deleted
objects and restore (push back) the attributes?
jorge
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag Sites
As Jorge mentioned you do not have to follow your physical subnets for
Lag-Sites. Usually you would use that as a guideline, but for lag-sites you
can do a sub-subnetting. AD replication does not care about the physical
structure or TCP/IP-Settings (Subnetmask, Def-Gateway) - it just cares what
you have configured in the sites, subnets and what IP the DC is using. So
you can in a 10.1.x.x network you could configure all servers with 10.1.x.x
IP-Adresses with a Subnet-Mask of 255.255.0.0, however you keep all servers
in one lagsite in the same "virtual subnet" 10.1.9.x and all production
Servers in 10.1.1.x - 10.1.8.x. Remember that all have the default gateway
and subnet mask for 10.1.x.x. But now you create the virtual subnets in AD,
and join 10.1.1.x - 10.1.8.x to the production site, and 10.1.9.x to the
lag-site. AD-Replication will do what you wanted it to do, even without the
need for routing.
However - and this was the main reason why I wanted to follow up on this -
remember that one lag-site might not be enough. Imagine you configure your
lag-site to replicate every thursday 6pm. So if someone makes an error
deleting a whole OU on e.g. Tuesday, you are recognizing it on Wednesday and
are able to rollback this OU (authoritative restore on the lag site, then
force replication). However if someone deletes a OU on thursday, and you
recognize it on friday (or even thursday 7pm) you have to restore a server
from tape first, because your only lag-site has already replicated that
deletion.
What I prefer is creating two lag-sites, one which replicates in the middle
of the week and one which replicates on the weekend. No matter when the
error will be performed (even right before replication of one of the
lag-sites), we always have a at least half week old copy of the AD in the
one of the Lag-Site. And I've even heard from someone using seven lag-sites
for every day in the week. Perhaps he's jumping into this thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz
Weblog:
http://msmvps.org/UlfBSimonWeidner
Website:
http://www.windowsserverfaq.org
Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811
D
_____
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29 PM
To: Active
Subject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for DR purposes.
Just for clarification purposes, would I need a separate IP subnet i.e IP
subnet that isn't assigned to any other site in AD to create this?
All my existing IP Subnets are assigned to existing Sites which are used for
normal replication, so I am assuming my question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
_____
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses!
> | | | |
| lists1
Posts:6
| | 03/03/2006 7:55 AM |
| Think virtualisation - where I've implemented lag-sites
they are running on VMs. The software-solutions I was looking at at this point
were way more expensive than running 4 DCs virtualized on the same machine (1
root-dc and one account-dc per lag-site).
I do not agree that lag-sites need to run in a physical
separate site. I do agree that you want two datacenters which are physically
separate, however if one DC burns down you usually do not need lag-sites (the
AD-Info is still in the other datacenter or in a branch), if all datacenter plus
branches are burned down you don't need a lag-site - you need a working backup
which isn't burned.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, March 03, 2006 5:17 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can
undelete the deleted objects and restore (push back) the
attributes?jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Friday, March 03, 2006 16:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to follow your
physical subnets for Lag-Sites. Usually you would use that as a guideline,
but for lag-sites you can do a sub-subnetting. AD replication does not care
about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) -
it just cares what you have configured in the sites, subnets and what IP the
DC is using. So you can in a 10.1.x.x network you could configure all
servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however
you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x
and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have
the default gateway and subnet mask for 10.1.x.x. But now you create the
virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site,
and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to
do, even without the need for routing.
However - and this was the main reason why I wanted to
follow up on this - remember that one lag-site might not be enough. Imagine
you configure your lag-site to replicate every thursday 6pm. So if
someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes
a OU on thursday, and you recognize it on friday (or even thursday 7pm) you
have to restore a server from tape first, because your only lag-site has
already replicated that deletion.
What I prefer is creating two lag-sites, one which
replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week
old copy of the AD in the one of the Lag-Site. And I've even
heard from someone using seven lag-sites for every day in the week.
Perhaps he's jumping into this thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for
DR purposes.
Just for clarification purposes, would I need
a separate IP subnet i.e IP subnet that isn't assigned to any
other site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming my
question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty
viruses! | | | |
| AD00000336
Posts:0
| | 03/03/2006 8:00 AM |
| Agreed.
Not a big fan of the Lag-Site,
I think it potentially has the ability to create more problems. At least
MS added some limited functionality in 2003, now if they would just finish the
job in Vista this topic might goto rest. (Are you there Stewart?)
I do see value in Creative Subnetting,
when it comes to establishing multiple sites on a physical network segment to get
the KCC to replicate in a more deterministic manner. Fun to do in the
classroom too when teaching subnetting.
Todd Myrick
From: Almeida Pinto,
Jorge de [mailto:jorge.de.almeida.pinto@xxxxxxxxxxxxx]
Sent: Friday, March 03, 2006 11:17
AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag
Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a
solution that can undelete the deleted objects and restore (push back) the
attributes?
jorge
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B. Simon-Weidner
Sent: Friday, March 03, 2006 16:59
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to
follow your physical subnets for Lag-Sites. Usually you would use that as a
guideline, but for lag-sites you can do a sub-subnetting. AD replication does
not care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites, subnets and
what IP the DC is using. So you can in a 10.1.x.x network you could configure
all servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0,
however you keep all servers in one lagsite in the same "virtual
subnet" 10.1.9.x and all production Servers in 10.1.1.x - 10.1.8.x. Remember
that all have the default gateway and subnet mask for 10.1.x.x. But now you
create the virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the
production site, and 10.1.9.x to the lag-site. AD-Replication will do what you
wanted it to do, even without the need for routing.
However - and this was the main reason
why I wanted to follow up on this - remember that one lag-site might not be
enough. Imagine you configure your lag-site to replicate every thursday
6pm. So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes a
OU on thursday, and you recognize it on friday (or even thursday 7pm) you have
to restore a server from tape first, because your only lag-site has already
replicated that deletion.
What I prefer is creating two lag-sites,
one which replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week old
copy of the AD in the one of the Lag-Site. And I've even heard
from someone using seven lag-sites for every day in the week. Perhaps he's
jumping into this thread later ;-)
Gruesse
- Sincerely,
Ulf
B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank Abagnale
Sent: Friday, March 03, 2006 4:29
PM
To: Active
Subject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain,
W2K3 FFL
I am thinking about setting up a lag site for DR purposes.
Just for clarification purposes, would I need a separate IP
subnet i.e IP subnet that isn't assigned to any other site in
AD to create this?
All my existing IP Subnets are assigned to existing Sites
which are used for normal replication, so I am assuming my question will result
in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty viruses! | | | |
| GuidoG
Posts:114
| | 03/04/2006 7:56 AM |
| an important factor is missing in this discussion -
the oportunity and costs for leveraging lagsites highly depends on
your forest structure. Even though you can use virtualization to reduce
the number of physical boxes required to host a DC in a lagsite, you still need
to host at least one per domain. As was pointed out before, if your goal was to
recover from accidental deletions it certainly makes even more sense if you use
two per domain with overlapping schedules in different sites, so that you'd
theoretically always have a window of opportunity to recover the data from a
lagsite even if the changes (such as deletion of objects) has just been
replicated into one of the lagsites.
the number of domains in your forest will not only increase
the number of (physical or virtual) DCs you need to host in your lagsite(s), but
as soon as you have more than one domain, the work to be done to recover the
objects and it's complexity increases dramatically due to the cross-domain
dependencies. You typically have to perform restore activities on a DC from
every domain (think "recovery of a user's group-membership" Ώ]). So what's
often fairly feasable for performing restores a single domain forest, can become
quite a pain point for multi-domain forests. In the end the full recovery of an
object involves so much work, that you'd rather not do it if "just a simple
user" is accidentally deleted. VIP users may be an exception and so will
the deletion of a whole OU. This is where
I'd say online recovery tools (such as those offered by NetPro and Quest) make a
big difference - these will take care of restoring the objects in a domain incl.
the necessary cross-domain data and you wouldn't hesitate to use them even for
the least important user or group or many other objects.
realize that no matter how many domains you have, a lagsite
can only protect you "so much" from accidental deletion. It doesn't offer full
protection from replicating unwanted changes into the lagsite - forced
replication doesn't care about a lagsite's schedule or about a disabled
connection object => you can still force bad changes into a lagsite anytime,
if the DCs are running and available on the NW. So you'd only gain real
protection by isolating the lagsite DCs from the NW (either done physically or
via some timed script that enables/disables the NIC).
this is not to say that I think lagsites (and specifically
running DCs in VMs in lagsites) shouldn't be used at all - you should just
realize that they may not be able to help for all DR occasions. They are sill a
helpful tool to ensure a fast recovery from other failures, such as
site-failures or potentially domain or forest failures (for single domain
forests even for object recovery). For multi-domain forests, they could well be
a part of your overall DR plan - but I also highly recommend checking out the
online recovery tools for those object (or attribute) recovery situations, that
potentially happen more often.
/Guido
Ώ]
if you're unaware of the issues with restoring group memberships in multi-domain
environments have a look at the following whitepaper:
http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of David
AdnerSent: Freitag, 3. März 2006 20:47To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
I think you're trying to compare apples and oranges.
Yes, both solutions can help reduce the time it takes to perform a restore (give
a specific scenario), but that's basically it. Lag sites are single
snapshots based on the number of lag sites you deploy. The products you
mention below are true backup solutions that you could, if you wanted to,
perform hourly, daily, weekly, etc backups, all of which can be restored as
needed. They also typically allow attribute level
restores.
So if lag sites are N dollars and the software is Y dollars
it doesn't really say much. You need to evaluate your own restore
requirements and budget to determine what's best. It's my opinion most
customers don't need lag sites and that it's a distraction from the normal
backup processes they're probably failing to properly implement. But
that's just me.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Friday, March 03, 2006 1:20 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
When talking about "a
software solution to restore deleted objects" I know about:
Netpro's RestoreADmin
Quest's Recovery Manage for
AD
I don't know the price of both products
(I guess per managed object or something like that) but I would be interested
in knowing where the break even point is compared to a hardware
solution.
And for a hardware solution you can
use:
* just hardware, where you need at
least 1 DC per domain in the lag site (for each day of the week that would be
7 DCs per domain) (not forgetting licensing for the server OS)
* hardware combined with software (e.g.
ESX/GSX or virtual server) (not forgetting licensing for the server OS
and the the virtual solution)
I'm very interested in hearing what
folks have chosen and how much it costs and of course why that particular
solution. Of course don't forget to mention the type of environment and
size
but let's start by pinging
Rick...
ping
rick.kingslan.microsoft
;-)
jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Tony MurraySent: Fri 2006-03-03 19:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
I think Rick Kingslan did something like this with
virtual machines. I'll ping him to see if he has any
comment.
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge deSent: Saturday, 4 March 2006 5:17 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can
undelete the deleted objects and restore (push back) the
attributes?jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Friday, March 03, 2006 16:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to follow your
physical subnets for Lag-Sites. Usually you would use that as a guideline,
but for lag-sites you can do a sub-subnetting. AD replication does not care
about the physical structure or TCP/IP-Settings (Subnetmask, Def-Gateway) -
it just cares what you have configured in the sites, subnets and what IP the
DC is using. So you can in a 10.1.x.x network you could configure all
servers with 10.1.x.x IP-Adresses with a Subnet-Mask of 255.255.0.0, however
you keep all servers in one lagsite in the same "virtual subnet" 10.1.9.x
and all production Servers in 10.1.1.x - 10.1.8.x. Remember that all have
the default gateway and subnet mask for 10.1.x.x. But now you create the
virtual subnets in AD, and join 10.1.1.x - 10.1.8.x to the production site,
and 10.1.9.x to the lag-site. AD-Replication will do what you wanted it to
do, even without the need for routing.
However - and this was the main reason why I wanted to
follow up on this - remember that one lag-site might not be enough. Imagine
you configure your lag-site to replicate every thursday 6pm. So if
someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU (authoritative
restore on the lag site, then force replication). However if someone deletes
a OU on thursday, and you recognize it on friday (or even thursday 7pm) you
have to restore a server from tape first, because your only lag-site has
already replicated that deletion.
What I prefer is creating two lag-sites, one which
replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week
old copy of the AD in the one of the Lag-Site. And I've even
heard from someone using seven lag-sites for every day in the week.
Perhaps he's jumping into this thread later ;-)
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Friday, March 03, 2006 4:29 PMTo:
ActiveSubject: [ActiveDir] AD Lag Sites
Single Forest, Single Domain, W2K3 FFL
I am thinking about setting up a lag site for
DR purposes.
Just for clarification purposes, would I need
a separate IP subnet i.e IP subnet that isn't assigned to any
other site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming my
question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty
viruses! | | | |
| abagnale_lists
Posts:16
| | 03/04/2006 10:40 AM |
| | Message body was not found. | | | |
| abagnale_lists
Posts:16
| | 03/04/2006 10:48 AM |
| | Message body was not found. | | | |
| abagnale_lists
Posts:16
| | 03/04/2006 11:02 AM |
| | Message body was not found. | | | |
| GuidoG
Posts:114
| | 03/04/2006 12:50 PM |
| Frank - I'd also be interested to hear how others protect
themselves from forced replication in a lagsite - I'm sure most aren't aware
it's a potential risk in the first place. As mentioned below, an option
would be to automatically enable and disable the NIC of the respective lagsite
DC inline with its scheduled replication window. If running as VMs you could
also configure them to boot and shutdown automatically according to the schedule
(I'm not a friend of "suspending" production DCs). I'd probably still preferr
just disabling the NICs.
/Guido
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Frank
AbagnaleSent: Samstag, 4. März 2006 12:00To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
Guido, this is really useful information.
I have a single domain forest so I feel comfortable with the Lag Site
idea. With multi domain forest, I would assume the addtional cost in
maintaining this environment would justify the cost of purchasing
a recovery solution.
Your point about Forced Replication is an interesting thought, I didn't
realise the lag site would not be protected. I would need to put this as a
potential risk.
If this is the case, my question to others who have implemented Lag Sites
is how do you handle protecting the lag site from forced replication from
other admins?"Grillenmeier, Guido"
wrote:
an important factor is missing in this discussion -
the oportunity and costs for leveraging lagsites highly depends on
your forest structure. Even though you can use virtualization to reduce
the number of physical boxes required to host a DC in a lagsite, you still
need to host at least one per domain. As was pointed out before, if your goal
was to recover from accidental deletions it certainly makes even more sense if
you use two per domain with overlapping schedules in different sites, so that
you'd theoretically always have a window of opportunity to recover the data
from a lagsite even if the changes (such as deletion of objects) has just been
replicated into one of the lagsites.
the number of domains in your forest will not only
increase the number of (physical or virtual) DCs you need to host in your
lagsite(s), but as soon as you have more than one domain, the work to be done
to recover the objects and it's complexity increases dramatically due to the
cross-domain dependencies. You typically have to perform restore activities on
a DC from every domain (think "recovery of a user's group-membership" Ώ]). So
what's often fairly feasable for performing restores a single domain forest,
can become quite a pain point for multi-domain forests. In the end the full
recovery of an object involves so much work, that you'd rather not do it if
"just a simple user" is accidentally deleted. VIP users may be an
exception and so will the deletion of a whole OU. This is where
I'd say online recovery tools (such as those offered by NetPro and Quest) make
a big difference - these will take care of restoring the objects in a domain
incl. the necessary cross-domain data and you wouldn't hesitate to use them
even for the least important user or group or many other
objects.
realize that no matter how many domains you have, a
lagsite can only protect you "so much" from accidental deletion. It doesn't
offer full protection from replicating unwanted changes into the lagsite -
forced replication doesn't care about a lagsite's schedule or about a disabled
connection object => you can still force bad changes into a lagsite
anytime, if the DCs are running and available on the NW. So you'd only gain
real protection by isolating the lagsite DCs from the NW (either done
physically or via so me timed script that enables/disables the NIC).
this is not to say that I think lagsites (and
specifically running DCs in VMs in lagsites) shouldn't be used at all - you
should just realize that they may not be able to help for all DR occasions.
They are sill a helpful tool to ensure a fast recovery from other failures,
such as site-failures or potentially domain or forest failures (for
single domain forests even for object recovery). For multi-domain forests,
they could well be a part of your overall DR plan - but I also highly
recommend checking out the online recovery tools for those object (or
attribute) recovery situations, that potentially happen more
often.
/Guido
Ώ] if you're unaware of the issues with restoring
group memberships in multi-domain environments have a look at the following
whitepaper:
http://www.netpro.com/forum/files/Active_Directory_Disaster_Recovery-Part-I.pdf
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of David
AdnerSent: Freitag, 3. März 2006 20:47To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
I think you're trying to com pare apples and
oranges. Yes, both solutions can help reduce the time it takes to
perform a restore (give a specific scenario), but that's basically it.
Lag sites are single snapshots based on the number of lag sites you
deploy. The products you mention below are true backup solutions that
you could, if you wanted to, perform hourly, daily, weekly, etc backups,
all of which can be restored as needed. They also typically allow
attribute level restores.
So if lag sites are N dollars and the software is Y
dollars it doesn't really say much. You need to evaluate your own
restore requirements and budget to determine what's best. It's my
opinion most customers don't need lag sites and that it's a distraction from t
he normal backup processes they're probably failing to properly
implement. But that's just me.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida
Pinto, Jorge deSent: Friday, March 03, 2006 1:20 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
When talking about "a
software solution to restore deleted objects" I know about:
Netpro's RestoreADmin
Quest's Recovery Manage for
AD
I don't know the price of both
products (I guess per managed object or something like that) but I would be
interested in knowing where the break even point is compared to a hardware
solution.
And for a hardware solution you can
use:
* just hardware, where you need at
least 1 DC per domain in the lag site (for each day of the week that would
be 7 DCs per domain) (not forgetting licensing for the server
OS)
* hardware combined with software
(e.g. ESX/GSX or virtual server) (not forgetting licensing for the
server OS and the the virtual solution)
I'm very interested in hearing what
folks have chosen and how much it costs and of course why that particular
solution. Of course don't forget to mention the type of environment and
size
but let's start by pinging
Rick...
ping
rick.kingslan.microsoft
;-)
jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on
behalf of Tony MurraySent: Fri 2006-03-03 19:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
I think Rick Kingslan did something like this with
virtual machines. I'll ping him to see if he has any
comment.
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida
Pinto, Jorge deSent: Saturday, 4 March 2006 5:17
a.m.To: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] AD Lag Sites
7 lag sites? holy sh*t!
would it be much cheaper to use a solution that can
undelete the deleted objects and restore (push back) the
attributes?jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Friday, March 03, 2006 16:59To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] AD Lag
Sites
As Jorge mentioned you do not have to follow your
physical subnets for Lag-Sites. Usually you would use that as a guideline,
but for lag-sites you can do a sub-subnetting. AD replication does not
care about the physical structure or TCP/IP-Settings (Subnetmask,
Def-Gateway) - it just cares what you have configured in the sites,
subnets and what IP the DC is using. So you can in a 10.1.x.x network you
could configure all servers with 10.1.x.x IP-Adresses with a Subnet-Mask
of 255.255.0.0, however you keep all servers in one lagsite in the same
"virtual subnet" 10.1.9.x and all production Servers in 10.1.1.x -
10.1.8.x. Remember that all have the default gateway and subnet mask for
10.1.x.x. But now you create the virtual subnets in AD, and join 10.1.1.x
- 10.1.8.x to the production site, and 10.1.9.x to the lag-site.
AD-Replication will do what you wanted it to do, even without the need for
routing.
However - and this was the main reason why I wanted
to follow up on this - remember that one lag-site might not be enough.
Imagine you configure your lag-site to replicate every thursday 6pm.
So if someone makes an error deleting a whole OU on e.g. Tuesday, you are
recognizing it on Wednesday and are able to rollback this OU
(authoritative restore on the lag site, then force replication). However
if someone deletes a OU on thursday, and you recognize it on friday (or
even thursday 7pm) you have to restore a server from tape first, because
your only lag-site has already replicated that
deletion.
What I prefer is creating two lag-sites, one which
replicates in the middle of the week and one which replicates on the
weekend. No matter when the error will be performed (even right before
replication of one of the lag-sites), we always have a at least half week
old copy of the AD in the one of the Lag-Site. And I've
even heard from someone using seven lag-sites for every day in the
week. Perhaps he's jumping into this thread later ;-)
Gruesse -
Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxx
.org [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
Frank AbagnaleSent: Friday, March 03, 2006 4:29
PMTo: ActiveSubject: [ActiveDir] AD Lag
Sites
Single Forest, Single Domain, W2K3
FFL
I am thinking about setting up a lag site
for DR purposes.
Just for clarification purposes, would I
need a separate IP subnet i.e IP subnet that isn't assigned to
any other site in AD to create this?
All my existing IP Subnets are assigned to
existing Sites which are used for normal replication, so I am assuming
my question will result in a yes.
Does anyone have any recommended guides to follow
thanks frank
Relax. Yahoo! Mail virus
scanning helps detect nasty
viruses!
Yahoo! MailBring photos to life! New
PhotoMail makes sharing a breeze. | | | |
| ihblist
Posts:1
| | 03/05/2006 12:29 PM |
| On 3/3/06, Almeida Pinto, Jorge de wrote:
> When talking about "a software solution to restore deleted objects" I know about:
> Netpro's RestoreADmin
> Quest's Recovery Manage for AD
>
> I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution.
I asked my Quest account manager for Quest Recovery Manager the other
day, and she said the price is $10.00 per node. The price is flat
regardless how many nodes you have. The thing vary is of course the
discount.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ihblist
Posts:1
| | 03/05/2006 12:31 PM |
| I meant the number of users in the AD.
Sorry for the confusion.
On 3/4/06, Irwan Hadi wrote:
> On 3/3/06, Almeida Pinto, Jorge de wrote:
> > When talking about "a software solution to restore deleted objects" I know about:
> > Netpro's RestoreADmin
> > Quest's Recovery Manage for AD
> >
> > I don't know the price of both products (I guess per managed object or something like that) but I would be interested in knowing where the break even point is compared to a hardware solution.
>
>
> I asked my Quest account manager for Quest Recovery Manager the other
> day, and she said the price is $10.00 per node. The price is flat
> regardless how many nodes you have. The thing vary is of course the
> discount.
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|