Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ghost on 2000 AD domain controller

Status
Not open for further replies.
IceBall

IceBall

Instructor
Mar 26, 2003
37
0
0
SE
I use Ghost on two Domain Controller to take backup on the whole server, will it be any problems if I restore a ghost image that is old (more then 1 month old) on one of the DC?
Someone told me that 2000 server change some kind of computer certificate (or key) reguarly so if you try to restore a old ghost image of a DC it will not replicate with the other DC.
Some know about this?
/IceBall

Sorry for my spelling, Im from Sweden! :)


MCSE+I NT 4.0
MCSE w2k
 
Sort by date Sort by votes
Yeh, I heard about this one.

It also relates to doing an AD restore that is over a month (I think) old.

I'll have a dig around and see if I can find the Article.

Chris Styles

NT4/2000 MCSE
 
Upvote 0 Downvote
OK got it....

The limit is a 60 day life of the records and changes which relates to the tombstone life of AD.

So if you did restore the AD server, and provided that you still have an active AD controller, then the system will replicate and take on the new updates.

If you were to restore a single DC with a backup older that 60 days, all the records would be out of date and everything would literally go tit's up, but...

You can change this setting by aming the tombstone life older than the backup whilst still in AD Restore. see
Hope this helps

Chris Styles

NT4/2000 MCSE
 
Upvote 0 Downvote
Hi! Thanks for the tips!
But my question was not about the tombstone thing. Someone told me that if you restore a DC image that is more then 1 month old then other DC will not approve or accept the DC in the Active Directory at all, because some computer certificate or key is too old and it will not be renewed. So the DC will be rejected in the AD.
Does anyone heard about this?
/IceBall


MCSE+I NT 4.0
MCSE w2k
 
Upvote 0 Downvote
I dont know of anything happening with a 30 day backup. The only thing that related to restoring after 30 days is the kerberos computer password that domain controllers have.

This password is automatically changed every 30 days, but the DCs only store 2 passwords. The previous and the current one. This is another reason why backups older than 60 days wont work. After 60 days, the DCs will have gone through two password changes, and therefore a restored DC will not be able to authenticate.
 
Upvote 0 Downvote
You could always reset the machine account password with NLTEST. The real problem is lingering objects.

If you delete an object it is tombstoned. If you delete an object on another DC, then restore a DC from a backup that was created when the object existed and the beckip is older than the tombstone lifetime, you'll create a lingering object. The default tombstone lifetime is 60 days. Cleanup can be painful.

Q314282

John
MOSMWNMTK


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
144
suncit
suncit
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
84
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
190
goombawaho
goombawaho
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
122
fightaccording
fightaccording
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top