Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

What is the perfect Backup policy for Domain

Posted on 2011-10-11
12
Medium Priority
?
383 Views
Last Modified: 2012-05-12
We have a WIndows AD domain server.
I would like to know the perfect backup solution ...about what needs to be backed up and when.ie; duration.

In case of Failure how to recover...

Please give me info for windows 2000,windows 2003 and windows 2008
0
Comment
Question by:infopeer
12 Comments
 
LVL 9

Expert Comment

by:Ahmed786
ID: 36947938
Symantec Products can be used as it is most reliable and easy to use, for more info you can visit there site.

http://www.symantec.com/business/backup-exec-for-windows-servers

As most of the organization uses this product for backup and recovery.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36947945
Doesn't matter which DC you want to backup, it's always good to have a recent backup os System State. Do it regularly for each DC and you will be secured in case that any of your DC would crash. As AD database content changes everyday, I would suggest to do System State backup daily and store it for 60 days (default Tombstone lifetime). After that time backup is useless because Tombstone lifetime was reached and object(s) cannot be restored.

System State backup allows you also to restore deleted object from a domain. For that you need to perfomr authoritative restore. Check this MS article at
http://support.microsoft.com/kb/241594
http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx

or visit Sandesh blog and see his article at
http://sandeshdubey.wordpress.com/2011/10/09/authoritative-non-authoritative-restore-in-windows2008/

Regards,
Krzysztof
0
 

Author Comment

by:infopeer
ID: 36948224
WHat happens if the backup is older than 60 dayys and I try to restore?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36948253
I see, I missed one more line in my previous comment :)

You can also use free tool called ADRESTORE to restore deleted object (but only when tombstone lifetime didn't expire) When it expired, you need to use the recent System State backup to restore the object.

ADRESTORE can be downloaded from
http://technet.microsoft.com/en-us/sysinternals/bb963906

according to your question, when tombstone lifetime expires then AD permanenty removes object from its database. For couple of deleted object you are able to restore that authoritatively and they will exist. But when you restore tombstone lifetime expired domain controller, you would have a lot of lingering objects and problem with AD replication

Krzysztof
0
 
LVL 15

Expert Comment

by:Jeff Perkins
ID: 36948415
We use a product called Nordic backup, it automates the process of backups.  We back up the data stored on the server on a daily basis, including our SQL databases, then I have it set to once a month do a system state backup to an external hard drive only. This way I'm not using the space on the backup server and paying for it, but I have a system state that is never more than 30 days old.  
   If we have a lot of changes, for instance a lot of new members added to the domain, then I can do a manual system state backup at that time. AFter backing up to the external, I just remove it and put it in the fire safe.
0
 

Author Comment

by:infopeer
ID: 36948547
isiek Are you saying restoring a file larger than tombstone doesnt have any issues except Deleted objects restoration and replication??

0
 

Author Comment

by:infopeer
ID: 36948553
Guys I'm not asking for softwares..>I'm asking what to backup for safe restoration?

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36948578
When tombstone lifetime expires, then you cannot restore an object from AD database because is deleted permanently by garbage trash collector. Then you have to perform "Authoritative restore" from a backup. But if your DC will fail and its tombstone lifetime expires, you cannot restore it from that backup because other DCs don't know anything about it anymore. When you still want to restore that DC and you do that, many lingering objects will show in your domain and that "wrongly" restored DC may causes issues with AD replication within your network.

So, this is very important for Domain Controller restoration then it does matter if tombstone lifetime has expired. For other objects there is no problem but when you restore user from 60 days old backup probably its group membership will be not up-to-date :) and many other attributes

Krzysztof
0
 

Author Comment

by:infopeer
ID: 36948856
Other than system state or there any other things to backup?
0
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 2000 total points
ID: 36948935
For Domain Controllers the most important part is System State Backup (AD database + DNS) but if you have other data on your DCs, you should also consider backing them up.

For 2003 you can also do ASR backup
http://technet.microsoft.com/en-us/library/cc779908%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc758365%28WS.10%29.aspx

for 2008 R2 you can check this
http://technet.microsoft.com/en-us/library/dd979562%28WS.10%29.aspx

Krzysztof
0
 

Author Closing Comment

by:infopeer
ID: 36948973
Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 36954176
You're welcome :)

Krzysztof
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question