Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

Backup AD

Hello Guys,

Soon we plan create a two way trust between our infrastructure and the infrastructure of a new company acquired by our MD.

Our AD servers span across two cities so my question is before creating the trust how should I Backup my AD?

- Do I perform system state backup on each of the 10 DCs or doing it on DC with FSMO roles will be sufficient?
- All our DCs are Windows 2008 R2 so should I take snapshot using ntdsutli?

Please advise because in case things go wrong I know I can simply revoke the trust but just to be on the safe sideI would like to backup our single domain AD.
0
fais79
Asked:
fais79
  • 4
  • 3
  • 2
1 Solution
 
GeodashCommented:
Of course always back up the full DC - but to just do an AD backup, look below.

I would make sure all DC's are backuped up, using whatever software you use, before making any major changes.

Backing Up Active Directory and Associated Components

To back up Active Directory and associated components on a domain controller, you can back up only system state or you can back up both system state and the system disk.

http://technet.microsoft.com/en-us/library/bb727048.aspx
0
 
AnuroopsunddCommented:
You can backup the main DC's which are hosting FSMO roles.

additional domain controllers can be backup but incase of failure you can always do a metadata cleanup..


http://technet.microsoft.com/en-us/library/cc732238(v=ws.10).aspx
0
 
fais79Author Commented:
How about the new snapshot of AD method available in Windows 2008 via ntdsutil??  Should this be ok for recovery? And do I snapshot AD on each DC or just FSMO role holder?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
fais79Author Commented:
Let's just say if I backup system state on all DCs.. in case I want to restore them back to how they were prior to creating the trust then how would I do that?

I meant would I have to restore authortatively on the FSMO holder DC and let others recieve the changes?

I know how to restore OU's etc authortatively but how would I restore authortatively so that DCs lose the trust info and revert back to their original state

Many thanks guys
0
 
AnuroopsunddCommented:
To be frank if the trust is broken you don't have to restore anything. we make and break trust everyday. there is not much requirement for the same.
Even many times we face issue with trust being lost due to the network issues and we just recreacte the trust...
you will not restore Domain controllers just for trust purpose..

And in worst.. if  you hae to restore .. you will restore just the FSMO role server..
0
 
fais79Author Commented:
Thanks Anu!

I have to think worse case scenrio because we all know things sometimes don't always go to plan when it comes to IT :)

So let me get this right...

Say I want full AD revert back then I would follow these steps:

1. Do a Non-Authortative Restore on FSMO holder
2. Perform Authortative Restore straight after.. (How would I restore so that the trust is goes away)?
3. Would I need to shutdown other DCs before restarting the FSMO holder after restore

Thanks
0
 
GeodashCommented:
I prefer to backup all DC's vs. metadata cleanup. Some will disagree, I just think it is cleaner.
0
 
fais79Author Commented:
That is the route I am taking... Is to backup System State of all DCs but struggling to understand the restore process.. Does it mean I will have to restore backed up system state of each DC on itself?
0
 
GeodashCommented:
You wont have to do a restore necessarily, even if the trust fails. You can drop and re-add a trust.

Take a look here at the restore process, depending on your domain

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/edda25e3-9102-4fae-9843-a0e9d040139f
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now