Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2141
  • Last Modified:

Will backup exec system restore successfully restore a Domain Controller?

hi

i recently had an issue where it was looking like i needed to restore a 2008 domain controller - thankfully i got the issue resolved. But at least the issue brought to my attention the issues around restoring a DC -

basically i have 2 DC's, one of which has all 5 FSMOs and i was persuming based on some prior advise that a Full drive image with symantec system restore 8.0 would be sufficant to restore a DC that has all 5 FSMOs as it would have a sytem state of never any older than 24hrs, and that when it was brough online again it would sync with the 2nd DC! and all roles would still be active

but then i was seeing threads and also got different advise again from symantec tech support were the advise was that you have to apply system state to the DC after the restore! - which i dont understand why!? should i be backing up The DCs system state every X hrs as well as a drive image?

Does the drive image not apply the system state correctly?
Does the drive image allow the DC to take over FSMO roles again?
0
meteorelec
Asked:
meteorelec
  • 10
  • 6
  • 4
3 Solutions
 
Hedley PhillipsCommented:
Backing up the System State backs up Active Directory.

The process of restoring a DC is tricky because AD on that machine will be out of sync with the rest of the machines but there is a simple step by step process to fix.

Let me dig the info out for you.
0
 
Hedley PhillipsCommented:
Ok,

the process is as laid out in this question/answer:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_22141834.html

A complete restore was done and then AD had to be sync'd with the other server to bring it in line and up to date.

Also, read this KB:

How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/kb/875495

0
 
meteorelecAuthor Commented:
hi  Mr-Madcowz im on server 2008 - is the process the same?

yesterday DC_A was offline for 6 hours, but once the issue was fixed it worked 100% again and synced with DC-B i how long does it have to be off before i could get issues?
 
 say for example dc_a powered down on a friday eve and i did not notice until monday morning, would i have sync issues? would it simply not resync when brought online again with dc_B?

basically i need to know is there a set time that DCs cant be offline?

hence if i took a drive image every night and then done a system state backup every hour of my 2 DC's - would i avoid issues like those mentioned in the links you gave?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Hedley PhillipsCommented:
MS say that you should not restore a DC from an image but have to apply the System State after the restore.

The process of restoring from a backup is as:

1  Forcibly demote the improperly-restored domain controller using dcpromo /forceremoval
2  Perform a metadata cleanup from another DC: http://support.microsoft.com/kb/216498
3  Seize all 5 FSMO roles to a remaining DC: http://www.petri.co.il/seizing_fsmo_roles.htm
4  Re-introduce the DC in #1 into AD by running dcpromo and seleting "additional DC in an existing domain", and allow AD replication to re-populate the AD database on the DC.

This would avoid any of the above USN issues.

As to what the time period is when replication issues would occur, I don't know.

There is a maximum period that a DC can be off and I think this is twice the tombstone period which in Server 2003 Service Pack 1 is 180 days.

See:

The Active Directory database garbage collection process
http://support.microsoft.com/kb/198793/en-us

0
 
meteorelecAuthor Commented:
sorry for going into this further Mr-Madcowz but i just want it clear in my mind!

when you state

1  Forcibly demote the improperly-restored domain controller using dcpromo /forceremoval

can there be a case of properly restored DC? that regains all FSMO roles?
0
 
Hedley PhillipsCommented:
Yes, you can regain the FSMO roles once back up and running.

If the machine is up and running you can transfer the roles back and forth. If a machine is offline, you would seize the roles from the other DC.

See:

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

0
 
meteorelecAuthor Commented:
but i mean will the backup ever be successful in restoring immediatly without any extra work?

0
 
Hedley PhillipsCommented:
Firstly if your DC that died was the one that held the FSMO roles these should have been seized manually on to one of your remaining DC's, so they will need transferring back after the restore.

There are also a fair few tests that you should perform

I think it is best if you have a read through these notes:


Active Directory Backup and Restore
http://technet.microsoft.com/en-us/library/bb727048.aspx

Procedures for Restoring a Domain Controller Through Reinstallation and Subsequent Restore from Backup
http://technet.microsoft.com/en-us/library/bb727048.aspx#ECAA

and:

Verify Active Directory Restore
http://technet.microsoft.com/en-us/library/bb727062.aspx#ETAA
0
 
meteorelecAuthor Commented:
what i am failing to understand is :

A) dc_a which has all fsmo roles was offline for 6hrs, i didnt move the fsmo roles to any  other dc, i switched dc_a back on after repair and its functioning perfectly as far as i see

b) hence if i did apply a complete drive image from 10 hrs previous to dc_a, why would i need to move the roles? as instead of being 6hrs old its simply 10. why does that not work?
0
 
Hedley PhillipsCommented:
Good question for which I will have to do more research.
0
 
bhanukir7Commented:
Hi,

going offline is a scenario where you have the correct or atleast the updates merged into the NTDS DB correctly.

if this is a proper shutdown then the NTDS would be in a consistent state.

Where as when you take a Image backup this is more of a snapshot which tries to pick up the data as it is.

There might be few transactions that might have been in the process of getting updated but they did not finish before the imaging was completed.

Image backups are good for recovering the server immediately and the DATA but when we talk about applications like Exchange, SQL or even AD which all use some or the other kind of Database, the image level is not something which is a consistent backup.

So thats the reason why you would need to take a system state backup and restore from the system state backup.

I hope you might have already gone through the articles about restoring and recovering a DC.

When you have a single DC you can do a authoritative restore which would overwrite all the AD specific attributes with the backup.

You can also perform a authoritative restore if you know that the AD information is corrupted and  you want to restore from the last known good config for the AD. I.e. your earlier system state backup.

As you have another DC to which the AD info is getting replicated, the default interval of replication is 180 mts.

For every replication the USN number changes and a track of the USNs are maintained on both the servers.

So when you try to bring online your DC which is shutdown it would automatically contact the other DC and updates itself with the changes made while it was offline.

It is not the same when you restore the DC from a image backup as the USN numbers might have a mismatch.

So restoring from the System state whould bring the AD info to a stable state and then the replication happens.

If you do a authoritative restore then the data on the server that you have recovered will be the considered as the authentic information and the other DC will copy the data from the Recovered DC.

Bhanu



0
 
meteorelecAuthor Commented:
ok  starting to understand, i went thru the articles but i couldnt get my head round why an image backup of less than 24hrs was not adequate for restoration

couple of questions:

1) in event of drive failure the system state may be 3 days out of date (if dc goes down on a fri eve) so if i apply the sytem state, the recovered servers will sync ok without moving roles etc - if there is no ad corruption?

2)so really is a license of symantec system restore being wasted on the DCs as i cant rely on them to recover AD successfully

3)I have Backup exec 12D - would i be best using the active directory system state backup tool here?

4) how often is best practice when taking sytem state backups ? is once a day per dc enuf?

thanks for patience here guys
0
 
meteorelecAuthor Commented:
or do i apply a drive image first and then apply system state on top of the drive image?
0
 
bhanukir7Commented:
yes apply the drive image first which will bring the server online during this ensure that you are not connected to the live network. Then to apply the system state boot into directory services restore mode and after the restore is done  it will reboot. So instead of reboot, shut the system down plug it into the network and bring it online, then this server will automatically replicate from the other DC.
0
 
meteorelecAuthor Commented:
excellant!

thanks for that bhanukir7 & Mr-Madcowz
0
 
meteorelecAuthor Commented:
sorry one last thing

i done a system state recovery of dc_a and its size is basically the same as a drive image! is that correct?
0
 
meteorelecAuthor Commented:
sorry i meant system state backup
0
 
bhanukir7Commented:
Hi,

the system state backup of a DC includes the AD information, Boot and System protected files, Com+ class registration Database, Registry and the SysVol.

Any kind of system state backup will always be a full backup which generally would be around 500 to 1 gb.

Not sure how come your drive image backup is of the same size, this might be if it has been compressed by the software.

bhanu
0
 
meteorelecAuthor Commented:
cheers bhanukir7 your help was really appreciated
0
 
bhanukir7Commented:
read this article which talks about backing up systemstate and system disk

http://technet.microsoft.com/en-us/library/cc737006.aspx

this article talks about only system state backup

http://technet.microsoft.com/en-us/library/cc787254.aspx

bhanu
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 10
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now