Re: What would happen if a solo W2K DC were to crash, and the data would be protected with NTFS?
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/19/05
- Next message: Vinayak Sharma: "Trouble installing WSUS"
- Previous message: Eduard Koller [MSFT]: "Re: X509 certificates"
- In reply to: Neko-: "What would happen if a solo W2K DC were to crash, and the data would be protected with NTFS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Jul 2005 20:33:13 -0700
Neko
Steve has answered you, but I just wanted to say that it really does not
matter whether there is a domain involved or not, whether it is NT 3.51
or W2k3, etc. - there are two ways for NTFS storage to be accessible
when a disk is loaded into a different system (as with fresh install) :
either built-in principals were used to grant NTFS access (like Users,
Administrators, Administrator, etc.) which will be honored in any build
or the built-in Administrator account can always take ownership of any
NTFS object and in so doing set (or have set) the permissions
EFS is a major factor that can complicate this above statement, which
deals only with NTFS accessibility.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Neko-" <neko@xs4all.nl> wrote in message news:rc2od1h7q07gpjg52s9mdtrtg8mi76ncjv@4ax.com... > I'd like to post a question to which I'd rather know the answer before > I'm actually confronted with the situation. > > From expirience I've had a Windows 2000 Pro workstation with 2 HDD's > running in a domain enviroment. On the second disk I implemented some > NTFS rights through domain accounts. This second disk also contained > some install files, so I would be able to easily install some items > that I needed. > > Now when a reinstall came round for the machine, I got it up and > running. Then I wanted to access the second HDD for the install files, > but ran into a rights problem. I wasn't allowed to access the > secondary disk. After I added the machine to the domain and used a > domain account to log on, I no longer had the issue. > > Now we get to the big question... I have a W2K DC, which is currenly > running alone in the domain. There are no additional DC's active. It's > a home system, and the domain is merely there for me to try some minor > things with. This DC has multiple HDD's all with some right structures > implemented on them through the use of the domain accounts. One of the > HDD's (primary boot) has 3 partitions: "W2K server boot", "Private > Data" and "Everything else". There are two other HDD's in the system > that both hold one partition to the whole disk each. No spanning, no > RAID, no mirroring, no redundancy... Just three disks with the above > configuration. > > Now the question is: What would happen if the DC were to crash, and > I'd be forced to reinstall it from scratch? > > I'd need to reinstall the Active Directory, and recreate the accounts > (there's not that many so that's not that much of an issue, just > wiping the C: partition and reinstalling the server wouldn't be THAT > much of a hassle either), but when I recreate the accounts I'd be > creating the same accounts with different SID's. Which would mean that > any right structure's available on the HDD's / partitions would be > invalidated. > > So my guess is, that reinstalling the DC would mean I'd be unable to > retrieve ANY data from the disks / partitions, seeing the NTFS > security would lock me out of accessing 'm. > > Would I be able to hook up the HDD to a workstation that is currently > logging on to the domain and access the disk through there? This would > require a copy action over the network, but it would be do-able. The > only real question that remains then is: Would the workstation allow > me to log on under a domain account that never logged on to it before? > My guess is not. So as a preparation strike, I could log on on a > workstation under the account that has full access to the disks, just > to make sure that I'd be able to log onto the PC while the DC itself > would be absent. > > The only way around any rights issues I suppose would be Partition > Magic, and returning the partitions to FAT32, or create an NTFS DOS > boot disk, hook up another disk, copy the entire contents of the NTFS > disk to the new disk, then wipe, recreate the partition, and recopy > the data. > > The other option would be a backup of the data (or just the System > State) of some sort. Seeing there is no backup hardware available to > backup the amount of data on the disks, this isn't something that's > active at the moment, nor do I have readily available funds to obtain > backup hardware to backup the whole of the HDD capacity to either a > new HDD, or tape. If the SystemState would be sufficient, I'd still be > looking at some solution that would give me access to that data one > some disk I'd be able to access. So possible again a re-convert back > to FAT32? > > Or would it be possible to plan for this, and give some local account > (Everyone?) access to all disks, while still implementing the rights > structure for when users access the machine over the network? (I'm > guessing the Everyone account would be recreated too, and as such it's > SID would also be invalidated). > > I'm checking into creating a new DC just to hold a copy of the AD so > I'd be able to atleast get the data up and running normally again. > It'll be off most of the time, and I'll just need to start it every > now and then to replicate any changes (which hardly occur anyway) to > keep it updated. This however would cost me the use of a PC (although > it's an old one) aswell as an HDD, but that would be a solution I can > atleast feel somewhat secure with. > > Anyone have any expirience with this scenario? > > Due to the fact I'll be going on vacation this week, it'll mean the > server will be off anyways, so there isn't a real hurry with any > answers. I'd just like to be sure about what scenario's I'd be facing > in the wake of some mishap that'd kill the AD for whatever reason. > Thanks in advance for any and all responses. > > Neko-
- Next message: Vinayak Sharma: "Trouble installing WSUS"
- Previous message: Eduard Koller [MSFT]: "Re: X509 certificates"
- In reply to: Neko-: "What would happen if a solo W2K DC were to crash, and the data would be protected with NTFS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
