Go Premium for a chance to win a PS4. Enter to Win


Backup / Restore - best practices for a single domain controller?

Posted on 2011-09-26
Medium Priority
Last Modified: 2012-05-12
I would like to deepen my knowledge in backup and recovery strategies. Therefore I did some research and read some articles about backing up and recovering domain controllers, but there are some things I don't fully understand, because most articles assume, that there are at least two domain controllers.

Why does everyone recommend at least two domain controllers? What exactly are the risks of only having one domain controller in a small company, where the time for the restore process is not important compared to the costs of a second server? Will there be real additional risks for the data stored in the Active Directory or is the recommendation only based on the risk of a longer downtime?

Will the problems mentioned by Microsoft (http://technet.microsoft.com/en-us/library/cc535164.aspx), regarding “Restoration of a relative identifier (RID) master can result in corruption of the Active Directory database.” and “Restoration of the schema master (SID) can result in orphaned objects.” will affect a single domain controller or is this only a problem with more than one domain controller? What exactly will cause those problems?

If I want to restore a single domain controller, is there anything to do besides restoring a backup I did with backup software with an online-image-feature? As far as I understand an unauthoritative system state restore won’t provide any additional data and is only useful if the server is still in a working condition and something was damaged or deleted in the active directory. And an authoritative system state restore is not needed for a single domain controller (and should never be needed if you use recommended restore procedures).

Is there anything additional to consider regarding the backup and recovery of a domain controller, if Exchange 2010 is installed on the same server? I know about the Exchange database and logfiles, but will it affect the strategy for backup and recovery of the DC/AD part?
Question by:exexc
  • 4
  • 3
LVL 39

Accepted Solution

Krzysztof Pytko earned 1400 total points
ID: 36598636
Redundant services are required in a network where high-avability is necessary. In a company where you have only one DC and resources access is not crucial, you can have one DC and restore it each time when it crashes.


- during this restoration time no one can log on into domain and use resources/mail
- what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
- you have a lot of call that something is not working, "we cannot work!"

Having redundant DC with DNS services prevents this situation, your network functionality is only half affected and people can still work whereas you are restoring broken DC.

When your the only one DC is broken also Exchange server wouldn't work! It requires at least one Global Catalog DC to work properly. And it is highly not recommended to running Exchange on a DC.

So, doing regural System State Backups of DCs is good practice. If you have not SSB of DC and it fails that it's your bad luck :/

In Exchange the most important part of backup is System State Backup and Mailbox storage with Retention logs.

And remember, Microsoft suggests this solution for medium to large companies. They need redundant solutions and high-avability in their networks. They can have many locations (SItes) and more than one DC is required to improve network authentication


Author Comment

ID: 36709077
what if server (hardware) will crash and cannot be repaired? You cannot simply restore System State Backup to different type of hardware
As far as I know, I would have to restore a full image backup in case of a serious hardware defect. With a single domain controller this should be sufficient and there would be no need for an additional system state restore. Am I wrong?

during this restoration time no one can log on into domain and use resources/mail
With a single server they won't be able to use mail/files/resources anyway.

I was hoping to find some good reasons to convince customers to get a second domain controller, even if they don't care about some additional downtime in case of a hardware problem. The best reason I found so far is that it would be problematic if the same hardware isn't available anymore, but I'm not really sure how likely it is, that the image backup won't restore on a slightly changed hardware configuration.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36709487
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup (and there are also other hardware related options which may cause BSOD on different server)

If client doesn't care about high-avability resources do not bother them to implement redundant devices. Just wait for the first serious crash then they will see how much time it's needed to bring environment to work :)

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

H-Singh earned 600 total points
ID: 36709690
if having only one DC or I would say hardware server with DC/Exchange all on one and rather discussing pro cons of two DC's etc.
Just use a good backup setup.

use active directory aware backup softs like symmantic or acronis. make sure backup archives are safe and you have options like restore to diffrent hardware.

I have exactly same setup for one of my offices where there is only one hardwre server serving as DC/Exchange/SQL/file data  etc . its quite good DELL server with symmantic backup.

yes i have had to restore in past to diffrent hardware and all worked well .  now downtime depends upon the size of data on server and backup media being used.

Good Hardware, Good Backup Software with Good Backup Media : i don't see any issues if company don't mind waiting for 4-5 hours to restore system in need arises for so in years,  but yea if cheap hardware used not proper backup software or media used you will end up losing everything.

Author Comment

ID: 36709970
Yes, you're wrong :) The only possible way of restoring AD database is to use System State Backup
I thought that the system state is only a subset of a full backup? What addiontal or more current information is stored in the system state backup, that is not included in an image of the system volume(s)?

I understand why the system state restore is important if there are other domain controllers for the same domain or if you want to recover deleted items without using a full backup, but I don't find a reason to use it after restoring a single domain controller from a full image backup. Aren't commercial backup products able to backup every important file while the server is Online?

Can you explain this in more detail?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36710063
Check what is backed up during System State backup

and yes, that's my fault, I wrongly understood Full Image Backup :) you told at the beginning
Yes, of course it's enough to restore server using that image

Sorry once again


Author Closing Comment

ID: 36716296
Thanks for your answers.
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36716337
You're welcome :)


Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question