WAS: inheretance is broken... RODC question

  • 641 Views
  • Last Post 18 November 2016
albertduro posted this 10 May 2007

So, can an RODC have any value as a backup? If all your DCs and tapes crash and burn,and you have just one RODC left in a remote site, can you rebuild your AD from it?

show

Order By: Standard | Newest | Votes
ZJORZ posted this 18 November 2016

If you ran ADPREP /RODCPREP in the past there is no need to run it again. It does not hurt either if you did by the wayhttps://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx >>>> I have now brought in a 2012R2 RODC and is giving me a ton of problems with KccYou need to be more specific when you say this and why your conclusion is to rerun ADPREP /RODCPREP  Met vriendelijke groeten / Kind regards, Jorge de Almeida PintoMVP Enterprise Mobility And Security | MCP/MCSE/MCITPMVP Profile | Blog | Facebook | Twitter *: jorge@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

eziotslifespanorg posted this 19 May 2007

Re: [ActiveDir]WAS: inheretance is broken... RODC question


Why not play with the weighting of the DC's DNS records to put a lower weight and priority to the offsite DC as compared to the ones within your existing sites.

EZ

----- Original Message -----

show

albertduro posted this 19 May 2007

Message
v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Malgun Gothic;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: @Malgun Gothic;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}






Makes
sense. But, given that, and you have this contingency DC in a remote,
secure, slow-link (T1) site, you want it to do just replication, you don't want
to be always responding to routine user and network processes, and you
particularly don't want the local workstations to be bugging it for
services. How do you achieve that? Lag site, maybe? Or maybe
just separate logical Site? And/or subnetting?

show

listmail posted this 18 May 2007

v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Malgun Gothic;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: @Malgun Gothic;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}






Ah yeah. I was just stating the case that you wanted a
writeable DC (WDC)versus RODC. RODCs in their recovery site isn't going to
help much.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

show

wooklee posted this 16 May 2007

v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}









GCs are even better if you have a multi-domain forest. (Well at
least one preferably in the root domain.) If you do ADI DDNS, then having them
be DNS servers is also a plus.

Wook

show

ZJORZ posted this 10 May 2007

if the purpose is backup/restore of the directory service when the domain of forest dies --> no
WHY?
DS on RODC = read-only, no outbound replication, no auth restore possible, no switching to writable DC


however, in Windows Server Longhorn you can create snapshots on both a writable DCs and RODCs and use that to compare data and restore previous attribute values (assuming permissions to attributes that need to be edited for the person doing this are in place). On RODCs you need to be aware that if an attribute is a member of the RO-PAS its value will not be in the database of all RODCs and all the snapshots created on RODCs.
To be able to verify all the attribute values, it is best to use snapshots from a writable DC.

It could be interesting though to have non-domain admins on an RODC that have write permissions on objects (users and groups) in a particular OU (lets say a branch office) and let them restore old values.
You could even delegate to those branch office admins the rights to undelete/reanimate an object and using a snapshot on the RODC restore the other optional attributes
Delegated permissions for reanimation:
http://support.microsoft.com/?id=892806
http://msdn2.microsoft.com/en-us/library/ms677923.aspx


if the purpose is backup/restore of other stuff local to the RODC like files/apps, etc. --> yes

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

listmail posted this 10 May 2007

No
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

show