Virtualization
Hello,
I recently reviewed the VMware video file , “Best Practices for virtualizing Active directory”, presented by Chris Skinner of VMware at VMworld in February 2009. It is remarkable presentation and extremely informative.
Since this presentation was made, ESXi has changed and the products that work with it are also different.
I have some questions concerning virtualizing Domain Controllers and in particular backups (for recovery and / or Disaster recovery).
I run a small environment for 70 users and there are 7 Physical Servers (Windows 2003 Server is the O/S):
2 x domain controllers
1 file server
1 Firewall server (ISA 2006)
1 Front End Exchange Server (Exchange 2003)
1 Backend Exchange server (Exchange 2003)
1 application servers (Blackberry Enterprise Server, which has SQL installed)
I would like to virtualize all servers (I have done so in a test environment) using ESXi 4.1 along with the license for vSphere Essentials Plus (which is perfect for our environment), using two ESxi servers connected to a SAN and employing HA. My goal would be to virtualize all servers. do not want to keep (if it is recommended) any of the current servers. I would implement 2 ESXi servers connected to a SAN.
In my test Virtual environment, for the ESXi server , in terms of backup, I would like to use Symantec Backup Exec 2010, with all the necessary agents – SQL, Exchange, Active directory, and the VMware agent (which interfaces with the VCB for backup) as I am using this software to currently backup my physical machines (and it seems to work well).
Regarding the ESXi server and VM Server image backups, I spoke with my technical contact at Symantec concerning the VMware agent. He explained that this agent will allow full backups of each server image as well as differential backups as long as the appropriate agents are installed (which I have installed). It can also perform granular restore (i.e. restore individual files). I would schedule a full backup once per week and a differential backup for the remaining 6 days.
In the presentation, Mr. Skinner explains Disaster Recovery best practices for Domain controllers and identiifes several issues to be aware of. If I understand correctly, it is mentioned not to recover from a backup copy of an old virtual disk.
In my environment, if I need to restore a DC, and if I do not have to go to offsite storage, then I would (in theory) be able to restore to an image that is no more than 24 hours old. So I have the following questions:
1. Is it necessary to perform system state backups if I have a complete virtual image of the DC backed up?
2. Would there be issues of update sequence number and issues when referencing USN (or USN out of sync)?
3. For non-authoritative Restore of a DC, would it not be sufficient to use the DC image that is 24 hours old? Would it still replicate with the other DC (I have two DC’s, and only had to restore 1) ? Would it be better just to build a server from scratch , and then DCPromo it since I have one good DC?
4. If I had to perform an Authoritative restore of the DC, could I not restore the VM of the DC, boot into Directory Services Restore Mode, run ntdsutil and follow the steps for an authoritative restore? Would it coomunicate properly with the second DC?
I just completed the initial training for vSphere 4.1, install, configure, and manage. I found it to be excellent.
Any information or recommendations that you could provide would be appreciated.
Best Regards,
Mark
I recently reviewed the VMware video file , “Best Practices for virtualizing Active directory”, presented by Chris Skinner of VMware at VMworld in February 2009. It is remarkable presentation and extremely informative.
Since this presentation was made, ESXi has changed and the products that work with it are also different.
I have some questions concerning virtualizing Domain Controllers and in particular backups (for recovery and / or Disaster recovery).
I run a small environment for 70 users and there are 7 Physical Servers (Windows 2003 Server is the O/S):
2 x domain controllers
1 file server
1 Firewall server (ISA 2006)
1 Front End Exchange Server (Exchange 2003)
1 Backend Exchange server (Exchange 2003)
1 application servers (Blackberry Enterprise Server, which has SQL installed)
I would like to virtualize all servers (I have done so in a test environment) using ESXi 4.1 along with the license for vSphere Essentials Plus (which is perfect for our environment), using two ESxi servers connected to a SAN and employing HA. My goal would be to virtualize all servers. do not want to keep (if it is recommended) any of the current servers. I would implement 2 ESXi servers connected to a SAN.
In my test Virtual environment, for the ESXi server , in terms of backup, I would like to use Symantec Backup Exec 2010, with all the necessary agents – SQL, Exchange, Active directory, and the VMware agent (which interfaces with the VCB for backup) as I am using this software to currently backup my physical machines (and it seems to work well).
Regarding the ESXi server and VM Server image backups, I spoke with my technical contact at Symantec concerning the VMware agent. He explained that this agent will allow full backups of each server image as well as differential backups as long as the appropriate agents are installed (which I have installed). It can also perform granular restore (i.e. restore individual files). I would schedule a full backup once per week and a differential backup for the remaining 6 days.
In the presentation, Mr. Skinner explains Disaster Recovery best practices for Domain controllers and identiifes several issues to be aware of. If I understand correctly, it is mentioned not to recover from a backup copy of an old virtual disk.
In my environment, if I need to restore a DC, and if I do not have to go to offsite storage, then I would (in theory) be able to restore to an image that is no more than 24 hours old. So I have the following questions:
1. Is it necessary to perform system state backups if I have a complete virtual image of the DC backed up?
2. Would there be issues of update sequence number and issues when referencing USN (or USN out of sync)?
3. For non-authoritative Restore of a DC, would it not be sufficient to use the DC image that is 24 hours old? Would it still replicate with the other DC (I have two DC’s, and only had to restore 1) ? Would it be better just to build a server from scratch , and then DCPromo it since I have one good DC?
4. If I had to perform an Authoritative restore of the DC, could I not restore the VM of the DC, boot into Directory Services Restore Mode, run ntdsutil and follow the steps for an authoritative restore? Would it coomunicate properly with the second DC?
I just completed the initial training for vSphere 4.1, install, configure, and manage. I found it to be excellent.
Any information or recommendations that you could provide would be appreciated.
Best Regards,
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for the information. The comments and advice are excellent.
Best,
Mark
Best,
Mark
Well last moth I needed to restore 2 DCs from a costumer. Using Veeam Backup and Replication.
The backup was 3 days old, and I restore both DCs with no issues. This was the only two DCs in the AD.
The only problem with this restore with 3 days old, was that if some workstations have added to the domain, needed to be removed, and added again. Or any user that may change the password between that 3 days of the backup.
Besides this I have seen no issues with the restore.
Jail