?
Solved

In-Depth questions about Backup and Restore of domain controllers

Posted on 2012-08-19
4
Medium Priority
?
746 Views
Last Modified: 2013-07-18
I have some questions regarding backing up and restoring domain controllers in a multi domain controller environment:

I read that "Windows Server Backup" is flagging backups of the Active Directory as "backup" to ensure that the invocation id is reset and USN rollback is prevented.

Will this flag be set during backup by the "Active Directory VSS Writer" or during the restore process?

If it is done by the "AD VSS Writer" during the backup process, does this mean that every backup solution that uses the AD-VSS writer will set this flag automatically or does the backup software have to set this flag manually or request the flagging by sending a special command to the "AD VSS Writer"?

A lot of older blog posts by Microsoft MVPs warn from using "image based backup solutions" for domain controllers. Are those recommendations out of date, because current solution use the AD VSS writer in the same way as "Windows Server Backup" does?
 
If it is done during the restore process, when and how exactly does it happen? Does "Windows Server Backup" set the "Database restored from backup" registry key somehow during restore or is it done in another way?

I read that you have to boot into DSRM mode (F8) and adjust the network settings, if you restore a domain controller to differnt hardware, because booting in normal mode will destory the domain controller beyond repair. What exactly happens if I boot the domain controller on different hardware without booting in DSRM mode? Why does the missing network configuration destroy the domain controller?

ShadowProtect (VSS/image based backup software) recommends to use the option "Restore hidden tracks" for domain controllers. The "hidden tracks" are the sectors between MBR and sector 63. What does a domain controller store in those "hidden tracks"?

100% working backups are a delicate topic, so I really want understand details of that kind, before I can trust a backup solution. Unfortunately I couldn't find in-depth information to those questions with Google. All those questions result from hours of Google research and what I'm looking for are answers and no "quick links" to everything that is already obvious by my questions. ;)
0
Comment
Question by:exexc
  • 2
4 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 450 total points
ID: 38309500
If you have multiple DCs and one fails, then by far the simplest solution is to create another new DC, once its promoted to a DC then AD is replicated to it from the other DCs - no need to resort to a backup as such.

Of course this does not mean you don't need to do backups - what if you deleted an OU by accident for eaxample? - or you had a corrupted database ?  In that case you may need to resort to a backup and do an authorative restore (though there are other methods available these days to restore a deleted OU.
0
 

Author Comment

by:exexc
ID: 38310821
This would be my preferred way, but some DCs are used for additional roles and services and I also want to have a real disaster recovery, for cases when all DCs are stolen or damaged by water or fire.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1050 total points
ID: 38312494
As you have stated it is not recommened to restore a single DC using an image solution. The reason for this is that replicaiton indexing is not synced and more and certain areas of the directory paritions will not get replicated to other domain controllers (so they will never sync correctly)

Depending on the type of backup solution you have and the DFL and FFL you can use a thrid party (backup exec, net back etc) to restore AD objects without have to do them in AD Restore mode.

If you are running 2008R2 FFL and DFL you will be able to activate the RecyleBin feature which will allow you to restore objects as well on the fly without AD restore mode.

As KCTS has mentioned is that if a DC fails to boot then it is recommened to rebuild and let the DC's sync themselves. If it is the FSMO holder that has the issue you can seize the roles to another working DC and continue the process after doing a metadata cleanup.

I would however recommened doing a system State backup which with backup the ntds.dit and the scripts/policies folder.

You can backup the servers as images but you would only restore this image if your entrie domain is offline. Never restore a DC image into a functioning AD environment.

Hope this helps!
0
 

Author Comment

by:exexc
ID: 39336054
Closing question. No-one answered my questions completely, so I will split points.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question