Solved

Do Shadow Copies Fully Back Up the Registry and AD Database?

Posted on 2008-10-28
8
257 Views
Last Modified: 2008-11-10
Does a shadow copy of a Windows 2003 Domain Controller's %SystemDrive% capture the Registry, AD database, and all other volatile system data structures completely and consistently such that if the shadow copy is copied to another volume it can boot and run a clone of the the original server?

That is, can I use vshadow.exe alone for backing up a Domain Controller, or do I need to use NTBackup (or some other commercial backup product like BE) to capture the "System State" info in a complete, consistent form?

I am specifically asking about a "pure" Windows Server 2003 Domain Controller, without any complications involving SQL Server, Exchange, or other applications.

Thanks for your help!
0
Comment
Question by:jeff1946
  • 4
  • 3
8 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 22828035
You can only use shadow copies to restore to the same volume.  If you want to be able to backup from one location and then restore somewhere else, you need a backup program such as NTbackup, Backup Exec, etc.

Shadow copies require the original volume to be intact in order to perform the restore.  The shadow copy only records the differences in the data structure, not the entire data set itself.  If you lose the original volume, the shadow copies are useless, even if you store them on another volume.
0
 
LVL 15

Accepted Solution

by:
fishadr earned 250 total points
ID: 22829452
It all depends how you have configured it.

The following link has full details of how you can configure Volume Shadow Copy Service and Virtual Disk
Service to recover failed Microsoft Active Directory servers:

http://www.microsoft.com/windowsserver2003/technologies/activedirectory/W2K3ActDirFastRec.mspx
0
 
LVL 1

Author Comment

by:jeff1946
ID: 22830543
Thank you both for your quick responses.

I didn't specify the question precisely enough, and kevinhsieh got the wrong idea. To clarify: if S: is the shadow copy of my system disk, then I want to back up the snapshot it represents to another volume T: (which is not a shadow copy) using something like robocopy as follows: robocopy /mir /copyall S: T:

Now if my system disk (C:) fails, can I restore it from T: (robocopy /mir /copyall T: C:) and boot back to the point in time when the shadow copy was created? I'm really just asking whether the Registry, AD, etc. system state is captured by the shadow copy. Under normal runtime conditions the system state on disk is not necessarily consistent with the system state in memory, so the key question is whether the shadow copy operation invokes writers to force an update the on-disk system state. The document cited by fishadr seems to say yes, on. p. 5 under "Shadow Copy Creation".

But at the risk of belaboring the point, the scenarios in the document specifically refer to high end SAN hardware configurations with 3rd party VSS providers and Win2K3 Enterprise and Datacenter Editions. Can anyone confirm that the same shadow copy backup/restore approach will work with my Win2K3 Standard Edition and directly attached storage?
0
 
LVL 15

Expert Comment

by:fishadr
ID: 22830626
No standard shadow copy will not allow you to restore your AD environment.

If you want to back up AD then you need to run a system state backup. You can do this to file and then shadow copy this to another server and then restore the system state from there:
http://technet.microsoft.com/en-us/library/cc787254.aspx

0
 
LVL 15

Expert Comment

by:fishadr
ID: 22830708
The document provides a quick way to recover your DC (including AD) from a shadow copy - This is because the whole disks and volumes are on the SAN. You therefore virutall disconnect the faulty volumes and re-attach the SAN Shadow copies.

If you are not running this type of environment then you will not be able to recover the AD (system state) unless your restore via Directory Restore Mode.

The W2k3 Standard version is designed for network shares (users shared data).
0
 
LVL 1

Author Comment

by:jeff1946
ID: 22831786
Thanks for your additional comments, fishadr.

But please understand that I'm not suggesting to use the shadow copy to recover only the system state, I'm talking about recovering the whole system. The robocopy restore (robocopy /mir /copyall T: C:) would wipe out anything on C: and replace it with the entire contents of T: Think of this as  a disk cloning procedure. And just to simplify further, assume that C: is the only volume on the DC.
0
 
LVL 15

Expert Comment

by:fishadr
ID: 22832726
You would probably be able to get it working in one way or another but as to how reliable this would be I am not sure.

Whenever I have implemented backing up a DC I have backed up the system state on a nightly basis and then backed this up to tape. Then to recover just restored the server from tape and then the system state and let replication update the server, it is pretty quick.

The only time it would not be quick is if you have a very large AD NTDS.DIT file, in which case you would have multiple DC's (so restoring the server would not be urgent) and it would take a while to restore the system state and replicate the changes back. But not much more than replicating back from robocopy. Which is why the recomendation is to use VSS to SAN then recover the OS (and AD) by switching the LUN's - This is the quickest recommended solution from Microsoft.

It is a good question that you ask but I am not sure what benefits you are going to achieve, if it will be any faster and how reliable it would be. You only need a slight corruption in the AD and the server will be in a real mess.
0
 
LVL 1

Author Comment

by:jeff1946
ID: 22925061
The system is nagging me to close this question, so I will give the credit to fishadr. I found the document he referred me to especially useful. With the help of the info in that document, I am working toward a lab test of whether a shadow copy of the DC will be a functional clone. Stay tuned....
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now