Solved

Backup / Restore - best practices for a single domain controller?

Posted on 2011-09-26
8
1,171 Views
Last Modified: 2012-05-12
I would like to deepen my knowledge in backup and recovery strategies. Therefore I did some research and read some articles about backing up and recovering domain controllers, but there are some things I don't fully understand, because most articles assume, that there are at least two domain controllers.

Why does everyone recommend at least two domain controllers? What exactly are the risks of only having one domain controller in a small company, where the time for the restore process is not important compared to the costs of a second server? Will there be real additional risks for the data stored in the Active Directory or is the recommendation only based on the risk of a longer downtime?

Will the problems mentioned by Microsoft (http://technet.microsoft.com/en-us/library/cc535164.aspx), regarding “Restoration of a relative identifier (RID) master can result in corruption of the Active Directory database.” and “Restoration of the schema master (SID) can result in orphaned objects.” will affect a single domain controller or is this only a problem with more than one domain controller? What exactly will cause those problems?

If I want to restore a single domain controller, is there anything to do besides restoring a backup I did with backup software with an online-image-feature? As far as I understand an unauthoritative system state restore won’t provide any additional data and is only useful if the server is still in a working condition and something was damaged or deleted in the active directory. And an authoritative system state restore is not needed for a single domain controller (and should never be needed if you use recommended restore procedures).

Is there anything additional to consider regarding the backup and recovery of a domain controller, if Exchange 2010 is installed on the same server? I know about the Exchange database and logfiles, but will it affect the strategy for backup and recovery of the DC/AD part?
0
Comment
Question by:exexc
  • 4
  • 3
8 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 350 total points
ID: 36598636
Redundant services are required in a network where high-avability is necessary. In a company where you have only one DC and resources access is not crucial, you can have one DC and restore it each time when it crashes.

BUT...

- during this restoration time no one can log on into domain and use resources/mail
- what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
- you have a lot of call that something is not working, "we cannot work!"

Having redundant DC with DNS services prevents this situation, your network functionality is only half affected and people can still work whereas you are restoring broken DC.

When your the only one DC is broken also Exchange server wouldn't work! It requires at least one Global Catalog DC to work properly. And it is highly not recommended to running Exchange on a DC.

So, doing regural System State Backups of DCs is good practice. If you have not SSB of DC and it fails that it's your bad luck :/

In Exchange the most important part of backup is System State Backup and Mailbox storage with Retention logs.

And remember, Microsoft suggests this solution for medium to large companies. They need redundant solutions and high-avability in their networks. They can have many locations (SItes) and more than one DC is required to improve network authentication

Regards,
Krzysztof
0
 

Author Comment

by:exexc
ID: 36709077
what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
As far as I know, I would have to restore a full image backup in case of a serious hardware defect. With a single domain controller this should be sufficient and there would be no need for an additional system state restore. Am I wrong?

during this restoration time no one can log on into domain and use resources/mail
With a single server they won't be able to use mail/files/resources anyway.

I was hoping to find some good reasons to convince customers to get a second domain controller, even if they don't care about some additional downtime in case of a hardware problem. The best reason I found so far is that it would be problematic if the same hardware isn't available anymore, but I'm not really sure how likely it is, that the image backup won't restore on a slightly changed hardware configuration.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36709487
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup (and there are also other hardware related options which may cause BSOD on different server)

If client doesn't care about high-avability resources do not bother them to implement redundant devices. Just wait for the first serious crash then they will see how much time it's needed to bring environment to work :)

Krzysztof
0
 
LVL 3

Assisted Solution

by:H-Singh
H-Singh earned 150 total points
ID: 36709690
if having only one DC or I would say hardware server with DC/Exchange all on one and rather discussing pro cons of two DC's etc.
Just use a good backup setup.

use active directory aware backup softs like symmantic or acronis. make sure backup archives are safe and you have options like restore to diffrent hardware.

I have exactly same setup for one of my offices where there is only one hardwre server serving as DC/Exchange/SQL/file data  etc . its quite good DELL server with symmantic backup.

yes i have had to restore in past to diffrent hardware and all worked well .  now downtime depends upon the size of data on server and backup media being used.

Good Hardware, Good Backup Software with Good Backup Media : i don't see any issues if company don't mind waiting for 4-5 hours to restore system in need arises for so in years,  but yea if cheap hardware used not proper backup software or media used you will end up losing everything.
0
 

Author Comment

by:exexc
ID: 36709970
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup
I thought that the system state is only a subset of a full backup? What addiontal or more current information is stored in the system state backup, that is not included in an image of the system volume(s)?

I understand why the system state restore is important if there are other domain controllers for the same domain or if you want to recover deleted items without using a full backup, but I don't find a reason to use it after restoring a single domain controller from a full image backup. Aren't commercial backup products able to backup every important file while the server is Online?

Can you explain this in more detail?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36710063
Check what is backed up during System State backup
http://technet.microsoft.com/en-us/library/bb727048.aspx#ERAA

and yes, that's my fault, I wrongly understood Full Image Backup :) you told at the beginning
Yes, of course it's enough to restore server using that image

Sorry once again

Krzysztof
0
 

Author Closing Comment

by:exexc
ID: 36716296
Thanks for your answers.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716337
You're welcome :)

Krzysztof
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now