Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Reverting schema change from 69 (2012 R2) back to 47 (2008 R2). Forest restore question

Posted on 2015-01-16
5
Medium Priority
?
194 Views
Last Modified: 2015-01-21
Hello,
If we do Authoritative Restore for FSMO holders for each domains, dont they suppose to replicate changes to the remaining DCs? Why Microsoft is saying that you will need to restore the remaining DCs?

So, if we are trying to revert the schema change from 69 (2012 R2) back to 47 (2008 R2), would it be sufficient  to restore Schema and FSMO holders for each domain and then replicate the changes??? Or we would need to restore all the remaining  DCs? Would it be sufficient to Authoritatively restore only schema partition on the Schema master and replicate the changes??

Please advise.
P.S
I have read all MS documentation already. Need someone to post it from experience.
0
Comment
Question by:creative555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 40553862
Full forest recovery to reverse it,  did you run into issues where you need to do this or are you just trying to plan?

Thanks

Mike
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40553874
The issue is with how schema changes specifically are distributed and applied on a per-DC basis. The architecture was designed to be non-destructive. It isn't like the DC can just receive an entire new schema and destroy the old one. Such an act would not only be destructive, but would break the mappings of the actual objects in the LDAP database with their respective definitions.

As such, when restoring a DC with a different schema, changes are always additive, never destructive. Thus you can't restore a DC (even a schema master) and have it push out an older version. It simply can't work that way. An authoritative restore involves marking objects as authoritative, not schemas.

So if you find you have to revert a schema (which is *EXCEEDINGLY RARE*), you do have to restore all DCs.  Schemas are backwards compatible, however, so as I have now hinted at many times, having a newer schema with older DCs is perfectly acceptable and rolling back should not be required except in the most dire of DR scenarios.

-Cliff
0
 

Author Comment

by:creative555
ID: 40554322
Very good answer. YEs. we are doing it for the documentation purposes and testing it in the lab.
SO, I understand that we need to recover forest and will be doing restoring FSMO master and the remaining DCs.
So, when doing authoritative restore of FSMO master with ntdsutil, do we need to restore all partitions?? or just schema partition??
0
 

Author Comment

by:creative555
ID: 40554337
so for 2003 it would be the following command:
authoritative restore: restore database

and for the 2008 FSMO DC it would be all partitions?

NTDS-Schemapartitionrestore.jpg
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40554369
In most cases you'll need to restore all partitions. While the schema partition holds the actual schema, once run most objects are touched (if even to full null values for various schema properties) and as such, just restoring the schema has a very high risk of leaving AD objects in an unsupported state that the OS may interpret as corruption.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question