• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

What is the perfect Backup policy for Domain

We have a WIndows AD domain server.
I would like to know the perfect backup solution ...about what needs to be backed up and when.ie; duration.

In case of Failure how to recover...

Please give me info for windows 2000,windows 2003 and windows 2008
0
infopeer
Asked:
infopeer
1 Solution
 
Ahmed786Commented:
Symantec Products can be used as it is most reliable and easy to use, for more info you can visit there site.

http://www.symantec.com/business/backup-exec-for-windows-servers

As most of the organization uses this product for backup and recovery.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Doesn't matter which DC you want to backup, it's always good to have a recent backup os System State. Do it regularly for each DC and you will be secured in case that any of your DC would crash. As AD database content changes everyday, I would suggest to do System State backup daily and store it for 60 days (default Tombstone lifetime). After that time backup is useless because Tombstone lifetime was reached and object(s) cannot be restored.

System State backup allows you also to restore deleted object from a domain. For that you need to perfomr authoritative restore. Check this MS article at
http://support.microsoft.com/kb/241594
http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx

or visit Sandesh blog and see his article at
http://sandeshdubey.wordpress.com/2011/10/09/authoritative-non-authoritative-restore-in-windows2008/

Regards,
Krzysztof
0
 
infopeerAuthor Commented:
WHat happens if the backup is older than 60 dayys and I try to restore?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
I see, I missed one more line in my previous comment :)

You can also use free tool called ADRESTORE to restore deleted object (but only when tombstone lifetime didn't expire) When it expired, you need to use the recent System State backup to restore the object.

ADRESTORE can be downloaded from
http://technet.microsoft.com/en-us/sysinternals/bb963906

according to your question, when tombstone lifetime expires then AD permanenty removes object from its database. For couple of deleted object you are able to restore that authoritatively and they will exist. But when you restore tombstone lifetime expired domain controller, you would have a lot of lingering objects and problem with AD replication

Krzysztof
0
 
Jeff PerkinsOwnerCommented:
We use a product called Nordic backup, it automates the process of backups.  We back up the data stored on the server on a daily basis, including our SQL databases, then I have it set to once a month do a system state backup to an external hard drive only. This way I'm not using the space on the backup server and paying for it, but I have a system state that is never more than 30 days old.  
   If we have a lot of changes, for instance a lot of new members added to the domain, then I can do a manual system state backup at that time. AFter backing up to the external, I just remove it and put it in the fire safe.
0
 
infopeerAuthor Commented:
isiek Are you saying restoring a file larger than tombstone doesnt have any issues except Deleted objects restoration and replication??

0
 
infopeerAuthor Commented:
Guys I'm not asking for softwares..>I'm asking what to backup for safe restoration?

0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
When tombstone lifetime expires, then you cannot restore an object from AD database because is deleted permanently by garbage trash collector. Then you have to perform "Authoritative restore" from a backup. But if your DC will fail and its tombstone lifetime expires, you cannot restore it from that backup because other DCs don't know anything about it anymore. When you still want to restore that DC and you do that, many lingering objects will show in your domain and that "wrongly" restored DC may causes issues with AD replication within your network.

So, this is very important for Domain Controller restoration then it does matter if tombstone lifetime has expired. For other objects there is no problem but when you restore user from 60 days old backup probably its group membership will be not up-to-date :) and many other attributes

Krzysztof
0
 
infopeerAuthor Commented:
Other than system state or there any other things to backup?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
For Domain Controllers the most important part is System State Backup (AD database + DNS) but if you have other data on your DCs, you should also consider backing them up.

For 2003 you can also do ASR backup
http://technet.microsoft.com/en-us/library/cc779908%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc758365%28WS.10%29.aspx

for 2008 R2 you can check this
http://technet.microsoft.com/en-us/library/dd979562%28WS.10%29.aspx

Krzysztof
0
 
infopeerAuthor Commented:
Thanks
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
You're welcome :)

Krzysztof
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now