AD AUTHORITATIVE RESTORE - A CAUTIONARY TALE

Scenario is an AD to eDir two-way sync of users, groups and OU's.
Two-way sync is what the customer wanted so that either side could be
administrated. A Microsoft administrator inadvertently deletes 50 or so
accounts (don't ask). Naturally they are gone from eDirectory at this
point as well. The administrator decides to do an Active Directory
“Authoritative Restore” to quickly get the users back into both systems
but decides to do the entire domain instead of the 50 users (don't ask).


The result was all objects in AD are deleted and recreated from the
other Domain Controllers with their previous GUID and other AD features
intact. However, the AD to eDirectory driver naturally sees the delete
events and acts upon them, _deleting_hundreds_of_users_, groups and
empty OU's. from eDirectory. The AD restore recreates the users,
groups and OU's after several forced “migrate objects” procedures.
Things eDirectory unique attributes like login scripts with the
eDirectory OU's are lost as well as file system trustee assignments.
Backlink issues galore. Not a good day or week for that matter.

Options to avoid this again:
1.Set the Driver Health Policy to shut down after X number of delete
events are queued.
2.Don't allow delete events to occur on the driver. Change delete to
deactivate account.
3.Use work-flow system of Role Based Services for manual approval of of
delete events.
4.Ensure all AD administrators understand the repercussions of an
Authoritative Restore.


--
Shawshank1
------------------------------------------------------------------------
Shawshank1's Profile: http://forums.novell.com/member.php?userid=71746
View this thread: http://forums.novell.com/showthread.php?t=393933