Solved

Backup AD

Posted on 2012-04-12
9
299 Views
Last Modified: 2012-08-13
Hello Guys,

Soon we plan create a two way trust between our infrastructure and the infrastructure of a new company acquired by our MD.

Our AD servers span across two cities so my question is before creating the trust how should I Backup my AD?

- Do I perform system state backup on each of the 10 DCs or doing it on DC with FSMO roles will be sufficient?
- All our DCs are Windows 2008 R2 so should I take snapshot using ntdsutli?

Please advise because in case things go wrong I know I can simply revoke the trust but just to be on the safe sideI would like to backup our single domain AD.
0
Comment
Question by:fais79
  • 4
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:Geodash
Comment Utility
Of course always back up the full DC - but to just do an AD backup, look below.

I would make sure all DC's are backuped up, using whatever software you use, before making any major changes.

Backing Up Active Directory and Associated Components

To back up Active Directory and associated components on a domain controller, you can back up only system state or you can back up both system state and the system disk.

http://technet.microsoft.com/en-us/library/bb727048.aspx
0
 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
You can backup the main DC's which are hosting FSMO roles.

additional domain controllers can be backup but incase of failure you can always do a metadata cleanup..


http://technet.microsoft.com/en-us/library/cc732238(v=ws.10).aspx
0
 

Author Comment

by:fais79
Comment Utility
How about the new snapshot of AD method available in Windows 2008 via ntdsutil??  Should this be ok for recovery? And do I snapshot AD on each DC or just FSMO role holder?
0
 

Author Comment

by:fais79
Comment Utility
Let's just say if I backup system state on all DCs.. in case I want to restore them back to how they were prior to creating the trust then how would I do that?

I meant would I have to restore authortatively on the FSMO holder DC and let others recieve the changes?

I know how to restore OU's etc authortatively but how would I restore authortatively so that DCs lose the trust info and revert back to their original state

Many thanks guys
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 17

Expert Comment

by:Anuroopsundd
Comment Utility
To be frank if the trust is broken you don't have to restore anything. we make and break trust everyday. there is not much requirement for the same.
Even many times we face issue with trust being lost due to the network issues and we just recreacte the trust...
you will not restore Domain controllers just for trust purpose..

And in worst.. if  you hae to restore .. you will restore just the FSMO role server..
0
 

Author Comment

by:fais79
Comment Utility
Thanks Anu!

I have to think worse case scenrio because we all know things sometimes don't always go to plan when it comes to IT :)

So let me get this right...

Say I want full AD revert back then I would follow these steps:

1. Do a Non-Authortative Restore on FSMO holder
2. Perform Authortative Restore straight after.. (How would I restore so that the trust is goes away)?
3. Would I need to shutdown other DCs before restarting the FSMO holder after restore

Thanks
0
 
LVL 9

Expert Comment

by:Geodash
Comment Utility
I prefer to backup all DC's vs. metadata cleanup. Some will disagree, I just think it is cleaner.
0
 

Author Comment

by:fais79
Comment Utility
That is the route I am taking... Is to backup System State of all DCs but struggling to understand the restore process.. Does it mean I will have to restore backed up system state of each DC on itself?
0
 
LVL 9

Accepted Solution

by:
Geodash earned 500 total points
Comment Utility
You wont have to do a restore necessarily, even if the trust fails. You can drop and re-add a trust.

Take a look here at the restore process, depending on your domain

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/edda25e3-9102-4fae-9843-a0e9d040139f
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now