| Author |
Message |
Krishna
Guest
|
 Posted:
Tue Nov 08, 2005 9:51 pm Post subject:
Duplicate Machines with same credentials in AD with diffrent |
|
|
I currently have a machine running with some data on it, it has computer
account in AD. I want to do a system state restore of that machine from
backups on another machine and I will bring it up with a diffrent IP address.
I want to know how will Ad handle this?
Has anybody done something similar to the above. I would like to know what
may be the consequences of doing it.
Thanks
Krishna |
|
| Back to top |
|
 |
Paul Williams [MVP]
Guest
|
| Posted:
Wed Nov 09, 2005 1:50 am Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
If you do a system state restore from another machine you will simply be
restoring the other machine to alternate hardware. AD will handle this by
allowing it, or complaining that the SC password is out of sync - so you
reset it. The machine that you overwrite with the restore will be erased
and the account will continue to exist.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Krishna
Guest
|
| Posted:
Wed Nov 09, 2005 5:50 pm Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
Paul,
Thanks for your reply. I have a question, when I do a system state restore
my AD kerberos credentials should also be restored, right? We are doing this
for our DR exercise, so want to be prepared. The other thing is these DRed
machines will be in a diffrent subnet then our regular systems.
Can you also please direct me to any kind of microsoft link which tells more
about what happens when there are two systems with same Ad credentials.
Thnaks
Krishna
"Paul Williams [MVP]" wrote:
| Quote: | If you do a system state restore from another machine you will simply be
restoring the other machine to alternate hardware. AD will handle this by
allowing it, or complaining that the SC password is out of sync - so you
reset it. The machine that you overwrite with the restore will be erased
and the account will continue to exist.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 10, 2005 1:51 am Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
Are you saying you will be restoring a backup and keeping the original
online? This is not a good idea. I managed to pull this off in a lab, and
the results were...fun.
If the original is offline, the restored box will still be able to use its
password and account. If the password changed in the elapsed time between
backup and restore, the workstation will use the old password (which the DC
also knows), so the DC will allow it and reset it (and log an error in the
event log).
There should be some articles on restoring systems on Microsoft's website.
Use Google to search it - append site:microsoft.com on the end of your
search criteria.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Krishna
Guest
|
| Posted:
Thu Nov 10, 2005 1:51 am Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
Are you saying you will be restoring a backup and keeping the original
Yes, since it is DR excercise thats what we have to do.
I will make sure that the password change made on the computer object is no
later than 7 days old, and the restore data is not old than 2 days. So i can
beat the password out of sync errors. But my only concern is how AD will
react when it sees two objects with same creds. I did some googling about DR
and how it effects AD. Could not find anything useful.
Krishna
"Paul Williams [MVP]" wrote:
| Quote: | Are you saying you will be restoring a backup and keeping the original
online? This is not a good idea. I managed to pull this off in a lab, and
the results were...fun.
If the original is offline, the restored box will still be able to use its
password and account. If the password changed in the elapsed time between
backup and restore, the workstation will use the old password (which the DC
also knows), so the DC will allow it and reset it (and log an error in the
event log).
There should be some articles on restoring systems on Microsoft's website.
Use Google to search it - append site:microsoft.com on the end of your
search criteria.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Thu Nov 10, 2005 9:51 am Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
If doing a DR test you should do it in an isolated environment. You should
not do this on in the AD infrastructure. I can give you some tips for how
to get one of your DCs into the DR environment if you want - I've done it a
couple of times for the guys doing the DR tests here.
If you have two identical computers in the domain the effects are bad. They
are the same, and need to work. They will both change their secure channel
password after 30 days, which will cause an issue for one and then the other
when it gets reset. They will also complicate auditing, and Kerberos.
There are going to be lots of other issues to, and this is often difficult
to diagnose. Don't do it.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
Krishna
Guest
|
| Posted:
Thu Nov 10, 2005 5:51 pm Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
Paul, I would love to have those tips for having Dc's in DR environment.
Thanks
Krishna
"Paul Williams [MVP]" wrote:
| Quote: | If doing a DR test you should do it in an isolated environment. You should
not do this on in the AD infrastructure. I can give you some tips for how
to get one of your DCs into the DR environment if you want - I've done it a
couple of times for the guys doing the DR tests here.
If you have two identical computers in the domain the effects are bad. They
are the same, and need to work. They will both change their secure channel
password after 30 days, which will cause an issue for one and then the other
when it gets reset. They will also complicate auditing, and Kerberos.
There are going to be lots of other issues to, and this is often difficult
to diagnose. Don't do it.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
|
|
|
| Back to top |
|
|
Paul Williams [MVP]
Guest
|
| Posted:
Sun Nov 13, 2005 1:50 pm Post subject:
Re: Duplicate Machines with same credentials in AD with diff |
|
|
OK. This is what we do:
Promote a new DC in the production domain, leave it there a couple of hours.
Then turn it off and connect it to the test lab LAN (which is completely
isolated from the production LAN).
In the production domain, follow the steps in KB 216498 (the metadata side
of which is further clarified here:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/012793ee-5e8c-4a5c-9f66-4a486a7114fd.mspx)
to remove the DC that you just turned off.
In the lab, you must firstly seize the FSMO roles and also perform the
metadata cleanup removing all DCs that aren't also in the lab. You then
have a duplicate of the forest root in your lab.
Note. The FSMO roles won't be advertised unless the system replicates with
a peer. Therefore delete all connection objects prior to reboot. This way
the system will start and advertise normally. You can then remove any
remaining DCs.
For an article on how to seize the FSMO roles, see kb255504
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in