Solved

Windows 2003 Active Directory restore

Posted on 2008-10-30
1
1,352 Views
Last Modified: 2012-05-05
Dear all

I am planning DR plan for my company, which start from domain controller, we have two domain controller in HK, another two in China, i need  to emulate many case , for example , if one of HK domain controller was dead , how can i disaster? all sites are connected with VPN, so if china site domain controller was dead, should i do any transfer role for their client login? and also does windows 2003 AD consist any name primary role? so how can i determine which server is primary?, thanks all for advice
0
Comment
Question by:roland_lei
1 Comment
 
LVL 13

Accepted Solution

by:
brent_caskey earned 500 total points
ID: 22847980
You are starting with a good design to begin with, which includes more than one domain controller in each site. For the instructions that I am giving, I am assuming that these 4 domain controllers are all in the same domain (no child domains).

The first thing that you need to do is backup the servers regularly. I actually prefer NTBackup for domain controllers because the restore process is easier. You should get a full system backup each time you backup including system state and any drives you have on the system.

Once you have the backups, DR is pretty easy. If you haven't done so already, you should have all of your domain controllers as Global Catalog servers (note - assuming only 1 domain). This will allow your clients to login in the event of a single domain controller failure in either site. You should have your domain setup in 2 sites - one HK and one China. This will ensure that the clients are logging into a domain controller that is local to the user.

If you have backups, there should be no reason to transfer FSMO roles to other servers. All you need to do is restore the failed server as soon as possible. The domain can function without any of the FSMO roles online. However, if you are not able to restore the domain controller for an extended amount of time, you should sieze the FSMO roles. However, you will want to avoid seizing the roles if possible because you will have to format and reinstall the failed domain controller from scratch before you will be able to add it back into the domain. You would also have to perform a metadata cleanup to get the domain controllers information out of the domain prior to adding the freshly installed DC.

In the event of a failure of a domain controller, you would need to reload the OS (preferably to the same SP level is was prior to the failure) and then restore using ntbackup.

By using NTBackup, you will also be able to easily restore the domain data in the event of either a NTDS.DIT (AD Database) file corruption or accidental deletion of AD objects through Directory Services Restore Mode. In the event of accidental deletion of objects, you will need to perform and authoritative restore.

The Active Directory Operations Guide has some good guidelines for backing up and restoring AD: http://technet.microsoft.com/en-us/library/cc781707.aspx (see Administering Active Directory Backup and Restore)

Here are some articles for more specifics:
General windows DR tips: http://www.petri.co.il/disaster_recovery.htm
How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration  http://support.microsoft.com/kb/263532
AD DR Webcast: http://support.microsoft.com/kb/325560
How to view and transfer FSMO roles in Windows Server 2003 http://support.microsoft.com/kb/324801/en-us
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504/en-us
How to remove data in Active Directory after an unsuccessful domain controller demotion (METADATA CLEANUP STEPS): http://support.microsoft.com/kb/216498/en-us
Authoritative Restore: http://support.microsoft.com/kb/241594/en-us

If you have any more questions, please feel free to ask. I am sure that I left out some topics.

There are also entire books written on this subject. One that I have read is the following: http://www.amazon.com/Active-Directory-Disaster-Recovery-Florian/dp/1847193277/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1225435608&sr=8-1
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question