Link to home
Start Free TrialLog in
Avatar of dqnet
dqnet

asked on

Domain Controller Restore.

Hi folks,

I have a really qq. We have 2 domain controllers, one virtulised hosting the FSMO roles and the other physical. Let's say the fsmo role holder fails catastophically. If we need to restore, from the backup is it as simple as creating a new VHD which is the same as the previous VHD. Booting from the ISO, choosing repair and selecting the system backup we have? In the interim should we seize the roles to the second domain controller? Or is it ok to leave the FSMO roles in suspend mode on the old domain controller until we restore it?

I know you cant just restore use an earlier copy of the VHD file.

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What version of Windows.  In Windows 8 you can use snapshots....I know way to early but that is on the horizon.

In this cast I'd seize the FSMO roles, run a metadata cleanup and put up a new DC and promote it again.

Thanks

Mike
If you have two DCs then it can be argued that there is little merit in trying to restore a DC, simply remove the failed DC from AD (2008R2 will automatically do a clean up), then install a new server and DCPROMO it.
Avatar of dqnet
dqnet

ASKER

Rebuild the failed server then re-promote the server.

Why rebuild? Why not just restore? If that were the case why backup in the first place?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you do a restore, then by definition its out of date - if will have to replicate anyway - so why not save yourself the hassle and re-install.
If you are restoring using a vmdk file or snapshot then i wouldn't worry about seize fsmo roles because is should be identical but if you have to build the server by creating a new vm then restoring backup files i would seize the roles as "dariusg" suggested.
Avatar of dqnet

ASKER

If you have two DCs then it can be argued that there is little merit in trying to restore a DC, simply remove the failed DC from AD (2008R2 will automatically do a clean up), then install a new server and DCPROMO it.

Same question applies? Why back it up? It doesnt make sense? That way, build 3 DC's if one fails, just seize, same over and over?

p.s. how does windows server cleanup automatically? (yes, 2008 r2) at which point does it automatically cleanup? After you seize the roles?
Avatar of dqnet

ASKER

Snapshots are a serious no-go for domain controllers? So i beleive that is completely out of the question?

What if AD hadn't changed since? I cant seem to understand what is the use of backing up a domain controller anymore? Seize the roles and of we go again?
Backup is critical if you have a disaster and/or if all DCs are down.

If one DC fails best way to restore is to re-promote the DC.

You can delete the server from AD this will automatically cleanup metadata.

http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
Also, if you delete an object for example and OU you can restore the OU with all the contents within the OU. Backups allow object restoration as well
Avatar of dqnet

ASKER

Backup is critical if you have a disaster and/or if all DCs are down.
If one DC fails best way to restore is to re-promote the DC.
You can delete the server from AD this will automatically cleanup metadata.


I really am shocked as to how easy this is... I'll just build 4 domain controllers and keep seize the roles as and when they fail.

p.s. when you rebuild the domain controller it doesnt have to be the same name right? You can change the name and just restore the roles to it after you've finished promoting it?
Right really all you are doing is adding another DC to the domain when you rebuild.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Your main question is answered above, but the last question

Same question applies? Why back it up? It doesnt make sense? That way, build 3 DC's if one fails, just seize, same over and over?

What happens if you lose the whole site, worst case scenario a tsunami hits your offices?
How would you get your office operational again?
Rebuild the entire network from scratch? Obviously the assumption is that you have an offsite backup at a reliable location.

What happens if somebody deletes all your AD objects on purpose or by accident?
How would you get those objects back?

N.B. AD Recycle bin in Windows 2008R2 is not a disaster recovery option so your backup is always a safe option.

We could argue that you only need 1 copy of a backup, but I wouldn't risk the chances of the backup failing so rather be safe and backup all your Servers.

The largest installation I worked at was 22000 users and 40+ DC's.
Including lag sites in two different countries. With DR/BCP failover test twice a year.
Even then, we backed up every single one of those DC's. System state and full backups.

It's one of those things you don't "REALLY" need to do, but you will sleep more comfortably at night knowing you've got a backup.
Avatar of dqnet

ASKER

Split best way I thought :)

Fantastic! Thanks guys!