Backup AD

Hello Guys,

Soon we plan create a two way trust between our infrastructure and the infrastructure of a new company acquired by our MD.

Our AD servers span across two cities so my question is before creating the trust how should I Backup my AD?

- Do I perform system state backup on each of the 10 DCs or doing it on DC with FSMO roles will be sufficient?
- All our DCs are Windows 2008 R2 so should I take snapshot using ntdsutli?

Please advise because in case things go wrong I know I can simply revoke the trust but just to be on the safe sideI would like to backup our single domain AD.
fais79Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GeodashCommented:
Of course always back up the full DC - but to just do an AD backup, look below.

I would make sure all DC's are backuped up, using whatever software you use, before making any major changes.

Backing Up Active Directory and Associated Components

To back up Active Directory and associated components on a domain controller, you can back up only system state or you can back up both system state and the system disk.

http://technet.microsoft.com/en-us/library/bb727048.aspx
0
AnuroopsunddCommented:
You can backup the main DC's which are hosting FSMO roles.

additional domain controllers can be backup but incase of failure you can always do a metadata cleanup..


http://technet.microsoft.com/en-us/library/cc732238(v=ws.10).aspx
0
fais79Author Commented:
How about the new snapshot of AD method available in Windows 2008 via ntdsutil??  Should this be ok for recovery? And do I snapshot AD on each DC or just FSMO role holder?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

fais79Author Commented:
Let's just say if I backup system state on all DCs.. in case I want to restore them back to how they were prior to creating the trust then how would I do that?

I meant would I have to restore authortatively on the FSMO holder DC and let others recieve the changes?

I know how to restore OU's etc authortatively but how would I restore authortatively so that DCs lose the trust info and revert back to their original state

Many thanks guys
0
AnuroopsunddCommented:
To be frank if the trust is broken you don't have to restore anything. we make and break trust everyday. there is not much requirement for the same.
Even many times we face issue with trust being lost due to the network issues and we just recreacte the trust...
you will not restore Domain controllers just for trust purpose..

And in worst.. if  you hae to restore .. you will restore just the FSMO role server..
0
fais79Author Commented:
Thanks Anu!

I have to think worse case scenrio because we all know things sometimes don't always go to plan when it comes to IT :)

So let me get this right...

Say I want full AD revert back then I would follow these steps:

1. Do a Non-Authortative Restore on FSMO holder
2. Perform Authortative Restore straight after.. (How would I restore so that the trust is goes away)?
3. Would I need to shutdown other DCs before restarting the FSMO holder after restore

Thanks
0
GeodashCommented:
I prefer to backup all DC's vs. metadata cleanup. Some will disagree, I just think it is cleaner.
0
fais79Author Commented:
That is the route I am taking... Is to backup System State of all DCs but struggling to understand the restore process.. Does it mean I will have to restore backed up system state of each DC on itself?
0
GeodashCommented:
You wont have to do a restore necessarily, even if the trust fails. You can drop and re-add a trust.

Take a look here at the restore process, depending on your domain

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/edda25e3-9102-4fae-9843-a0e9d040139f
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.