Scribd Logo
Importer

Bienvenue sur Scribd !

  • AD Stuffs

    Transféré par

    Rajkumar Swaminathan
    25 vues2 pages

    Titre original

    AD stuffs

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    DOCX, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    25 vues2 pages

    AD Stuffs

    Transféré par

    Rajkumar Swaminathan

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme DOCX, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 2

    Lingering Objects

    When restoring a backup file, Active Directory generally requires that the backup file be no more than
    180 days old. (The limit is 60 days if the AD forest was originally created with Windows Server 2000.)
    If attempt to you restore an backup that is expired, you may encounter problems due to “lingering
    objects”.

    What Are Lingering Objects?

    A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller
    (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object
    was deleted on another DC more than than 180 days ago.

    When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is
    a placeholder that represents the deleted object. When replication occurs, the tombstone object is
    transmitted to the other DCs, which causes them to delete the AD object as well.

    Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

    If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear
    on the restored DC. Because the tombstone object on the other DCs has been removed, the restored
    DC will not receive the tombstone object (via replication), and so it will never be notified of the
    deletion. The deleted object will “linger” in the restored local copy of Active Directory.

    How to Remove Lingering Objects

    Windows Server 2003 and 2008 have the ability to manually remove lingering objects using the
    console utility console utility REPADMIN.EXE. REPADMIN.EXE can be found in the Windows Server
    2003 Support Tools, located on the Windows 2003 Server CD/DVD. (It is standard on Windows Server
    2008.) Use the option/removelingeringobjects

    local group membership can be controlled thru Active Directory, using restricted
    groups component in the group policy objects

     Why should you monitor replication and keep it working well? If replication isn’t working to one or more of your DCs,
    a segment of your user population won’t be kept current with the latest directory data. This could result in a host of
    problems: Password changes aren’t seen; accounts unlocked by administrators aren’t accessible by the account
    owner; users don’t have access to applications (even though they’ve been added to the correct groups); new users
    can’t log on (even though their accounts have been created); and, very importantly, terminated employees might be
    able to access the network after their accounts have been disabled.

    Replication issues can also affect Group Policy functioning and site or subnet changes. A DC that hasn’t successfully
    replicated with its partner DCs will be tombstoned out of the forest and must be rebuilt. Replication problems can also
    affect schema updates and have been known to cause forest-wide failures.
    A domain controller tracks objects in AD based on their Update Sequence Numbers (USN). Every
    object in AD has a USN. As objects are modified, the USN increases monotonically, like an odometer
    on a car. The latest USN on each DC is called the “high water mark”. During replication each DC
    compares its USN high water mark with the USN high water mark of its neighbors.

    USN rollback happens when an older copy of Active Directory is restored but the computer fails to
    notify the other domain controllers that it was rolled back to an out-of-date copy of AD (and therefore
    that its high water mark has rolled back).

    When you use UMove to restore AD it notifies the other DCs that it has been rolled back. The other
    DCs respond by “playing back” all changes made to AD since then, bringing the restored computer up
    to date.

    However, if you use a disk imaging utility (for example, if you restore an old disk image created with
    Symantec Ghost or Acronis True Image), the computer will be unaware that it has been rolled back. If
    the restored disk is older than the most recent actual disk that successfully replicated with the other
    domain controllers, any more recent changes made to AD on other domain controllers will not be
    “played back” to the out-of-date DC. This is because the restored DC is unaware that it has been
    rolled back.

    When USN rollback occurs the following message may appear in the Event Log: “The Active Directory
    database has been restored using an unsupported restoration procedure. Active Directory will be
    unable to log on users while this condition persists.” (NTDS General, Event ID 2103)

    Vous aimerez peut-être aussi