With your Windows 2003 forest running at Windows 2003 forest functional level,
LVR has an additional important benefit for the links that are actually stored
as LVR links in your domains. Because the links can now be replicated separately,
the Ntdsutil authoritative restore process will follow the back links and increase
the version ID for all LVR forward links it finds for the restored object(s).
In the context of a recovered user, this means that all of the user's group
memberships in its own domain will be fully recovered. Note that a DC can update
only objects and links in its own domain. Therefore, if your AD forest consists
of multiple domains and you also need to recover a user's group memberships
in those domains, you must still leverage the LDIF files from Windows 2003 SP1's
version of Ntdsutil during the authoritative restore operation.
LVR links not only improve the recoverability of group memberships—All
other multi-valued linked attributes (e.g., manager/ directReports) behave the
same way and will be recreated during restoration of an object that contains
the relevant back links. Of course if an object has forward links, such as the
group's member attribute, the forward links will still replicate during object
restoration as they always have.
Updating Your AD Groups to Contain LVR Links
To take full advantage of the LVR benefits during recovery, you need to ensure
that none of your groups or other linked attributes contain legacy links. In
a single AD domain environment, this approach simplifies the overall AD recovery
processes.
To update existing links in your AD forest, you must remove and readd the links
to the linked attribute. For group memberships, you can easily accomplish this
task by piping the output of the DSGET command as input to the DSMOD command.
Using MyGroup as an example, you'd run the following DSGET group command with
the -members option:
C:\>dsget group CN=MyGroup,OU=OUGroups,DC=RootR2,DC=net -members
Web Figure 1 (http://www.windowsitpro.com, InstantDoc ID 96310) shows the output
from this command. If you combine this command with the DSMOD group command
and the -chmbr option (which is used to replace all memberships in a group),
you can efficiently remove and add all of a group's members, as follows:
C:\>dsget group CN=MyGroup,OU=OUGroups, DC=RootR2, DC=net -members | dsmod
groupCN=MyGroup,OU=OUGroups, DC=RootR2, DC=net -chmbr
Web Figure 2 shows the output from this command. To see the effect the action
had, run repadmin /showobjmeta again, as follows:
C:\>repadmin /showobjmeta DC1 CN=MyGroup,OU=OU-Groups,DC=RootR2,DC=net
As the output in Web Figure 3 shows, all the links are now of the type "present,"
meaning that they are full LVR links that will be leveraged during object recovery.
But be careful: Don't remove and readd all group members for all your groups
at once in a large environment, because doing so could result in a replication
storm. Plan to switch your groups to LVR links so as to stagger the activity
over a reasonable period of time.
Maximize the Benefits
LVR adds various benefits to your AD forest, including reduced replication traffic
when updating group memberships and an unlimited number of members in each group.
But equally importantly, LVR also allows for automatic recovery of back-linked
attributes when authoritatively restoring objects. Especially after upgrading
a Win2K domain or forest, you must take special care to switch existing group
links from legacy storage to the LVR format, to be able to leverage all the
benefits of LVR.
SOLUTIONS
SNAPSHOT
PROBLEM: Upgrading from Windows 2000 to Windows Server 2003 doesn't
automatically enable the Linked Value Replication (LVR) feature.
SOLUTION: To enable and fully leverage LVR, you must perform several
additional steps.
WHAT YOU NEED: Windows 2003
DIFFICULTY: 4 out of 5
|
SOLUTIONS
SNAPSHOT
SOLUTION STEPS:
-
Upgrade from Windows 2000 to Windows Server 2003.
-
Convert domains in your Active Directory (AD) forest from Win2K
to Windows 2003 functional level.
-
Update legacy links in your AD forest.
|
End of Article
Register
