• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1367
  • Last Modified:

Windows 2003 Active Directory restore

Dear all

I am planning DR plan for my company, which start from domain controller, we have two domain controller in HK, another two in China, i need  to emulate many case , for example , if one of HK domain controller was dead , how can i disaster? all sites are connected with VPN, so if china site domain controller was dead, should i do any transfer role for their client login? and also does windows 2003 AD consist any name primary role? so how can i determine which server is primary?, thanks all for advice
1 Solution
You are starting with a good design to begin with, which includes more than one domain controller in each site. For the instructions that I am giving, I am assuming that these 4 domain controllers are all in the same domain (no child domains).

The first thing that you need to do is backup the servers regularly. I actually prefer NTBackup for domain controllers because the restore process is easier. You should get a full system backup each time you backup including system state and any drives you have on the system.

Once you have the backups, DR is pretty easy. If you haven't done so already, you should have all of your domain controllers as Global Catalog servers (note - assuming only 1 domain). This will allow your clients to login in the event of a single domain controller failure in either site. You should have your domain setup in 2 sites - one HK and one China. This will ensure that the clients are logging into a domain controller that is local to the user.

If you have backups, there should be no reason to transfer FSMO roles to other servers. All you need to do is restore the failed server as soon as possible. The domain can function without any of the FSMO roles online. However, if you are not able to restore the domain controller for an extended amount of time, you should sieze the FSMO roles. However, you will want to avoid seizing the roles if possible because you will have to format and reinstall the failed domain controller from scratch before you will be able to add it back into the domain. You would also have to perform a metadata cleanup to get the domain controllers information out of the domain prior to adding the freshly installed DC.

In the event of a failure of a domain controller, you would need to reload the OS (preferably to the same SP level is was prior to the failure) and then restore using ntbackup.

By using NTBackup, you will also be able to easily restore the domain data in the event of either a NTDS.DIT (AD Database) file corruption or accidental deletion of AD objects through Directory Services Restore Mode. In the event of accidental deletion of objects, you will need to perform and authoritative restore.

The Active Directory Operations Guide has some good guidelines for backing up and restoring AD: http://technet.microsoft.com/en-us/library/cc781707.aspx (see Administering Active Directory Backup and Restore)

Here are some articles for more specifics:
General windows DR tips: http://www.petri.co.il/disaster_recovery.htm
How to perform a disaster recovery restoration of Active Directory on a computer with a different hardware configuration  http://support.microsoft.com/kb/263532
AD DR Webcast: http://support.microsoft.com/kb/325560
How to view and transfer FSMO roles in Windows Server 2003 http://support.microsoft.com/kb/324801/en-us
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
How to remove data in Active Directory after an unsuccessful domain controller demotion (METADATA CLEANUP STEPS): http://support.microsoft.com/kb/216498/en-us
Authoritative Restore: http://support.microsoft.com/kb/241594/en-us

If you have any more questions, please feel free to ask. I am sure that I left out some topics.

There are also entire books written on this subject. One that I have read is the following: http://www.amazon.com/Active-Directory-Disaster-Recovery-Florian/dp/1847193277/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1225435608&sr=8-1

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now