Controlling peer to peer AD/DNS GC-to-GC Replication

hi,

i have 2 w2k8r2 servers in peer-to-peer gc setup - works perfectly.  ad , dns.  ad sites , services: server1 says replicate / server2 , server2 says replicate / server1.

problem statement: server1 crashed , way recovered image months ago (my bad).  had - legato backup server , re-install have been nightmare.  news ipsec tunnel (site-to-site) missing - preventing replication.  temporarily turn off auto replication , control 1 way refresh server2 recovered server1 - turn on.  here think need in high level.  need the actual steps.

1 - turn off auto replication

2 - re-config ipsec tunnel work

3 - force 1 way replication server2 server1 (should carry both ad-users , dns)

4 - turn auto replication (peer-to-peer 2 way) on.

is can "explained" in forum?  or going once per year phone call microsoft via technet contract.

thank - if can please help.

randy s

footnote - btw: don't trust legato overwriting lost in ipsec config, ad-users, dns etc... don't know grab anyway.

hi randy,

i'm not quite sure mean peer-to-peer, i'm going put aside moment.

up front, concern you're talking using backup "months" old. "months"? if journal has wrapped within timeframe restore going useless in case.

frankly, in same position, i'd:

• write off domain controller , use ntdsutil perform metadata cleanup
• rebuild member server
• re-establish ipsec tunnel
• promote domain controller
• put legato on server (even heartache, it's better option)

i realise may not able cater final point, however, it's recommended list of how handle situation , there's no circumstance i'll approve installation of additional software or hardware on domain controller given level of importance. if push came shove, i'd run secondary server inside virtual machine located on domain controller before i'd install extraneous bits , pieces on dc.

moving on, let's assume backup usable. process i'd using simply:

• non-authoritive directory services restore
• restart server
• re-create ipsec rule

looking @ bullet points:

1. so far i'm aware can't this. can delete connector object, you've got nothing replicate over. could, alternative, change replication window slim window on particular day of week @ particular time, give ample time work through recovery process, i'm not seeing lot of value in doing this.
2. agreed. should take few minutes.
3. fair enough. can repadmin /replicate you've mentioned, though there's number of partitions you're going need manually trigger: domain naming context, domain dns , forest dns contexts, , configuration partition. unless you've extended schema in time since backup taken, won't need trigger this.
4. following on explanation in first point, it's not case of turning on. if adjusted schedule, put whatever was.

cheers,
lain

Windows Server  >  Directory Services