2.9.2 Permanent Unavailability of Durable Storage

The preceding failure scenario dealt with the case of a transient unavailability of the durable storage. However, it is also possible that the durable storage on which the system's state is stored becomes permanently unavailable; for example, due to a nonrepairable hardware failure in the disk media. In this case, all of the state that is stored in the storage system is lost.

As in the case of a transient unavailability of the storage system, the directory server does not permit any request to succeed that requires altering the persisted state of the directory. The directory server can permit a request to succeed that requires retrieving state if that request can be completely and accurately answered by using only the state that the directory server has available to it while durable storage is unavailable.

When rejecting a request while in this scenario, the member protocol is permitted to use any suitable error code that indicates that the directory server cannot process the request. The system does not constrain the protocol's choice of error code.

Because the system generally does not have any means to determine on its own whether the storage system is temporarily or permanently unavailable, the key difference between this scenario and the previous scenario is that recovery in this scenario typically requires administrative intervention.

After making any necessary repairs or replacements of the storage system to return it to service, the administrator restores the state of the directory server from the most recent backup copy. The means of backing up and restoring such state is implementation-specific.

After the backup is restored, the state of the directory server is as it was at the time the backup was taken. Further, any changes to the state that were replicated to one or more replica directory servers in the directory service subsequent to the time the backup was taken can be regained after the restore through replication.