Windows 2003 Active Directory restore

Dear all

I am planning DR plan for my company, which start from domain controller, we have two domain controller in HK, another two in China, i need  to emulate many case , for example , if one of HK domain controller was dead , how can i disaster? all sites are connected with VPN, so if china site domain controller was dead, should i do any transfer role for their client login? and also does windows 2003 AD consist any name primary role? so how can i determine which server is primary?, thanks all for advice
roland_leiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

brent_caskeyCommented:
You are starting with a good design to begin with, which includes more than one domain controller in each site. For the instructions that I am giving, I am assuming that these 4 domain controllers are all in the same domain (no child domains).

The first thing that you need to do is backup the servers regularly. I actually prefer NTBackup for domain controllers because the restore process is easier. You should get a full system backup each time you backup including system state and any drives you have on the system.

Once you have the backups, DR is pretty easy. If you haven't done so already, you should have all of your domain controllers as Global Catalog servers (note - assuming only 1 domain). This will allow your clients to login in the event of a single domain controller failure in either site. You should have your domain setup in 2 sites - one HK and one China. This will ensure that the clients are logging into a domain controller that is local to the user.

If you have backups, there should be no reason to transfer FSMO roles to other servers. All you need to do is restore the failed server as soon as possible. The domain can function without any of the FSMO roles online. However, if you are not able to restore the domain controller for an extended amount of time, you should sieze the FSMO roles. However, you will want to avoid seizing the roles if possible because you will have to format and reinstall the failed domain controller from scratch before you will be able to add it back into the domain. You would also have to perform a metadata cleanup to get the domain controllers information out of the domain prior to adding the freshly installed DC.

In the event of a failure of a domain controller, you would need to reload the OS (preferably to the same SP level is was prior to the failure) and then restore using ntbackup.

By using NTBackup, you will also be able to easily restore the domain data in the event of either a NTDS.DIT (AD Database) file corruption or accidental deletion of AD objects through Directory Services Restore Mode. In the event of accidental deletion of objects, you will need to perform and authoritative restore.

The Active Directory Operations Guide has some good guidelines for backing up and restoring AD: http://technet.microsoft.com/en-us/library/cc781707.aspx (see Administering Active Directory Backup and Restore)

Here are some articles for more specifics:
General windows DR tips: http://www.petri.co.il/disaster_recovery.htm
How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration  http://support.microsoft.com/kb/263532
AD DR Webcast: http://support.microsoft.com/kb/325560
How to view and transfer FSMO roles in Windows Server 2003 http://support.microsoft.com/kb/324801/en-us
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/en-us
How to remove data in Active Directory after an unsuccessful domain controller demotion (METADATA CLEANUP STEPS): http://support.microsoft.com/kb/216498/en-us
Authoritative Restore: http://support.microsoft.com/kb/241594/en-us

If you have any more questions, please feel free to ask. I am sure that I left out some topics.

There are also entire books written on this subject. One that I have read is the following: http://www.amazon.com/Active-Directory-Disaster-Recovery-Florian/dp/1847193277/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1225435608&sr=8-1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.