Solved

Backup AD

Posted on 2012-04-12
9
300 Views
Last Modified: 2012-08-13
Hello Guys,

Soon we plan create a two way trust between our infrastructure and the infrastructure of a new company acquired by our MD.

Our AD servers span across two cities so my question is before creating the trust how should I Backup my AD?

- Do I perform system state backup on each of the 10 DCs or doing it on DC with FSMO roles will be sufficient?
- All our DCs are Windows 2008 R2 so should I take snapshot using ntdsutli?

Please advise because in case things go wrong I know I can simply revoke the trust but just to be on the safe sideI would like to backup our single domain AD.
0
Comment
Question by:fais79
  • 4
  • 3
  • 2
9 Comments
 
LVL 9

Expert Comment

by:Geodash
ID: 37838424
Of course always back up the full DC - but to just do an AD backup, look below.

I would make sure all DC's are backuped up, using whatever software you use, before making any major changes.

Backing Up Active Directory and Associated Components

To back up Active Directory and associated components on a domain controller, you can back up only system state or you can back up both system state and the system disk.

http://technet.microsoft.com/en-us/library/bb727048.aspx
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37838468
You can backup the main DC's which are hosting FSMO roles.

additional domain controllers can be backup but incase of failure you can always do a metadata cleanup..


http://technet.microsoft.com/en-us/library/cc732238(v=ws.10).aspx
0
 

Author Comment

by:fais79
ID: 37838561
How about the new snapshot of AD method available in Windows 2008 via ntdsutil??  Should this be ok for recovery? And do I snapshot AD on each DC or just FSMO role holder?
0
 

Author Comment

by:fais79
ID: 37839439
Let's just say if I backup system state on all DCs.. in case I want to restore them back to how they were prior to creating the trust then how would I do that?

I meant would I have to restore authortatively on the FSMO holder DC and let others recieve the changes?

I know how to restore OU's etc authortatively but how would I restore authortatively so that DCs lose the trust info and revert back to their original state

Many thanks guys
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37839465
To be frank if the trust is broken you don't have to restore anything. we make and break trust everyday. there is not much requirement for the same.
Even many times we face issue with trust being lost due to the network issues and we just recreacte the trust...
you will not restore Domain controllers just for trust purpose..

And in worst.. if  you hae to restore .. you will restore just the FSMO role server..
0
 

Author Comment

by:fais79
ID: 37839631
Thanks Anu!

I have to think worse case scenrio because we all know things sometimes don't always go to plan when it comes to IT :)

So let me get this right...

Say I want full AD revert back then I would follow these steps:

1. Do a Non-Authortative Restore on FSMO holder
2. Perform Authortative Restore straight after.. (How would I restore so that the trust is goes away)?
3. Would I need to shutdown other DCs before restarting the FSMO holder after restore

Thanks
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37839635
I prefer to backup all DC's vs. metadata cleanup. Some will disagree, I just think it is cleaner.
0
 

Author Comment

by:fais79
ID: 37839655
That is the route I am taking... Is to backup System State of all DCs but struggling to understand the restore process.. Does it mean I will have to restore backed up system state of each DC on itself?
0
 
LVL 9

Accepted Solution

by:
Geodash earned 500 total points
ID: 37839672
You wont have to do a restore necessarily, even if the trust fails. You can drop and re-add a trust.

Take a look here at the restore process, depending on your domain

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/edda25e3-9102-4fae-9843-a0e9d040139f
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now