allow restore of a DC without admin rights

[peterve]

How can I allow someone to rebuild an entire DC, when that person only has
- a ntbackup backup of the system state
- new hardware, fresh installed 2003, local admin password
- Directory Services Restore password

I don't want that user to have local admin rights or Domani Admin rights once the server is up and running

How can I do this ?

thanks

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

https://petersblog.dyndns.org:8899

---------------------------------------------------------------

 

[peterve]

I think I've found a way to do it
It requires the enterprise/domain admin to prepare a copy of a DC in vmware. I've written a procedure to do so on my blog:

https://petersblog.dyndns.org:8899/Lists/Posts/Post.aspx?ID=18

Next, you can provide the vmware image to the local admin.
If he needs to recover AD, he should boot up the vmware image, go into restore mode and restore the most up to date ntds.dit file
(domain admin rights are not required for this)

https://petersblog.dyndns.org:8899/Lists/Posts/Post.aspx?ID=17

I still need to do some additional testing with a p2v first, so watch out for new blog posts on that topic



--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

https://petersblog.dyndns.org:8899

---------------------------------------------------------------