Solved

Windows 2003 Active Directory restore

Posted on 2008-10-30
1
1,358 Views
Last Modified: 2012-05-05
Dear all

I am planning DR plan for my company, which start from domain controller, we have two domain controller in HK, another two in China, i need  to emulate many case , for example , if one of HK domain controller was dead , how can i disaster? all sites are connected with VPN, so if china site domain controller was dead, should i do any transfer role for their client login? and also does windows 2003 AD consist any name primary role? so how can i determine which server is primary?, thanks all for advice
0
Comment
Question by:roland_lei
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 13

Accepted Solution

by:
brent_caskey earned 500 total points
ID: 22847980
You are starting with a good design to begin with, which includes more than one domain controller in each site. For the instructions that I am giving, I am assuming that these 4 domain controllers are all in the same domain (no child domains).

The first thing that you need to do is backup the servers regularly. I actually prefer NTBackup for domain controllers because the restore process is easier. You should get a full system backup each time you backup including system state and any drives you have on the system.

Once you have the backups, DR is pretty easy. If you haven't done so already, you should have all of your domain controllers as Global Catalog servers (note - assuming only 1 domain). This will allow your clients to login in the event of a single domain controller failure in either site. You should have your domain setup in 2 sites - one HK and one China. This will ensure that the clients are logging into a domain controller that is local to the user.

If you have backups, there should be no reason to transfer FSMO roles to other servers. All you need to do is restore the failed server as soon as possible. The domain can function without any of the FSMO roles online. However, if you are not able to restore the domain controller for an extended amount of time, you should sieze the FSMO roles. However, you will want to avoid seizing the roles if possible because you will have to format and reinstall the failed domain controller from scratch before you will be able to add it back into the domain. You would also have to perform a metadata cleanup to get the domain controllers information out of the domain prior to adding the freshly installed DC.

In the event of a failure of a domain controller, you would need to reload the OS (preferably to the same SP level is was prior to the failure) and then restore using ntbackup.

By using NTBackup, you will also be able to easily restore the domain data in the event of either a NTDS.DIT (AD Database) file corruption or accidental deletion of AD objects through Directory Services Restore Mode. In the event of accidental deletion of objects, you will need to perform and authoritative restore.

The Active Directory Operations Guide has some good guidelines for backing up and restoring AD: http://technet.microsoft.com/en-us/library/cc781707.aspx (see Administering Active Directory Backup and Restore)

Here are some articles for more specifics:
General windows DR tips: http://www.petri.co.il/disaster_recovery.htm
How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration  http://support.microsoft.com/kb/263532
AD DR Webcast: http://support.microsoft.com/kb/325560
How to view and transfer FSMO roles in Windows Server 2003 http://support.microsoft.com/kb/324801/en-us
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/en-us
How to remove data in Active Directory after an unsuccessful domain controller demotion (METADATA CLEANUP STEPS): http://support.microsoft.com/kb/216498/en-us
Authoritative Restore: http://support.microsoft.com/kb/241594/en-us

If you have any more questions, please feel free to ask. I am sure that I left out some topics.

There are also entire books written on this subject. One that I have read is the following: http://www.amazon.com/Active-Directory-Disaster-Recovery-Florian/dp/1847193277/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1225435608&sr=8-1
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question