In-Depth questions about Backup and Restore of domain controllers

I have some questions regarding backing up and restoring domain controllers in a multi domain controller environment:

I read that "Windows Server Backup" is flagging backups of the Active Directory as "backup" to ensure that the invocation id is reset and USN rollback is prevented.

Will this flag be set during backup by the "Active Directory VSS Writer" or during the restore process?

If it is done by the "AD VSS Writer" during the backup process, does this mean that every backup solution that uses the AD-VSS writer will set this flag automatically or does the backup software have to set this flag manually or request the flagging by sending a special command to the "AD VSS Writer"?

A lot of older blog posts by Microsoft MVPs warn from using "image based backup solutions" for domain controllers. Are those recommendations out of date, because current solution use the AD VSS writer in the same way as "Windows Server Backup" does?
If it is done during the restore process, when and how exactly does it happen? Does "Windows Server Backup" set the "Database restored from backup" registry key somehow during restore or is it done in another way?

I read that you have to boot into DSRM mode (F8) and adjust the network settings, if you restore a domain controller to differnt hardware, because booting in normal mode will destory the domain controller beyond repair. What exactly happens if I boot the domain controller on different hardware without booting in DSRM mode? Why does the missing network configuration destroy the domain controller?

ShadowProtect (VSS/image based backup software) recommends to use the option "Restore hidden tracks" for domain controllers. The "hidden tracks" are the sectors between MBR and sector 63. What does a domain controller store in those "hidden tracks"?

100% working backups are a delicate topic, so I really want understand details of that kind, before I can trust a backup solution. Unfortunately I couldn't find in-depth information to those questions with Google. All those questions result from hours of Google research and what I'm looking for are answers and no "quick links" to everything that is already obvious by my questions. ;)
Who is Participating?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
As you have stated it is not recommened to restore a single DC using an image solution. The reason for this is that replicaiton indexing is not synced and more and certain areas of the directory paritions will not get replicated to other domain controllers (so they will never sync correctly)

Depending on the type of backup solution you have and the DFL and FFL you can use a thrid party (backup exec, net back etc) to restore AD objects without have to do them in AD Restore mode.

If you are running 2008R2 FFL and DFL you will be able to activate the RecyleBin feature which will allow you to restore objects as well on the fly without AD restore mode.

As KCTS has mentioned is that if a DC fails to boot then it is recommened to rebuild and let the DC's sync themselves. If it is the FSMO holder that has the issue you can seize the roles to another working DC and continue the process after doing a metadata cleanup.

I would however recommened doing a system State backup which with backup the ntds.dit and the scripts/policies folder.

You can backup the servers as images but you would only restore this image if your entrie domain is offline. Never restore a DC image into a functioning AD environment.

Hope this helps!
Brian PierceConnect With a Mentor PhotographerCommented:
If you have multiple DCs and one fails, then by far the simplest solution is to create another new DC, once its promoted to a DC then AD is replicated to it from the other DCs - no need to resort to a backup as such.

Of course this does not mean you don't need to do backups - what if you deleted an OU by accident for eaxample? - or you had a corrupted database ?  In that case you may need to resort to a backup and do an authorative restore (though there are other methods available these days to restore a deleted OU.
exexcAuthor Commented:
This would be my preferred way, but some DCs are used for additional roles and services and I also want to have a real disaster recovery, for cases when all DCs are stolen or damaged by water or fire.
exexcAuthor Commented:
Closing question. No-one answered my questions completely, so I will split points.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.