Solved

AD Backup strategy

Posted on 2015-02-22
12
99 Views
Last Modified: 2015-02-24
Hello Expert,
The current AD Infrastructure of our company consists of 3 Domain Controllers as follows:-
1)      DC01:-
      Server Name:-DC01
      Architecture:-Physical Server
      Operating System Installed: - Windows Server 2008 SP1 Standard Edition
      Server type: - 32-bit
      Antivirus Installed:- McAfee VirusScan Enterprise +Antispyware Enterprise
      Domain Functional Level:- Windows Server 2008
      Flexible Single Operations Masters (FSMO) running:-PDC Emulator and Relative Identifier (RID) Master
      Server Roles Installed:-
      *DNS
      *DHCP
      *Global Catalog (GC)
2) CUDDC02:-
      Server Name:-DC02
      Architecture:-Physical Server
      Operating System Installed: - Windows Server 2008 SP1 Standard Edition
      Server type: - 32-bit
      Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
      Domain Functional Level:- Windows Server 2008
      Flexible Single Operations Masters (FSMO) running:-Domain Naming and Schema Master
       Server Roles Installed:-
      *DNS
      *Global Catalog (GC)
3) DC03:-
      Server Name:-DC03
      Architecture:-Virtual Server
      Operating System Installed: - Windows Server 2008 SP1 Standard Edition
      Server type: - 32-bit
      Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
      Domain Functional Level:- Windows Server 2008
      Flexible Single Operations Masters (FSMO) running:-Infrastructure Master
       Server Roles Installed:-
      *DNS
      *Global Catalog (GC)


My question is, Do I need to take daily full Backup of these entire 3 Domain Controllers (DC01, DC02 & DC03) separately or only one domain controller. The requirement is whenever a server failure happens or any object got accidently deleted from AD, I should able to restore those from this backup ASAP.
Please advise me what is the best strategy to backup (Full back up or Incremental or Differential Backup) domain controllers based on the above scenario.

Thank you for the excellent support we are getting from all the "Experts" from Expert-Exchange.

Regards,
0
Comment
Question by:smpvm
  • 6
  • 5
12 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
first question is why do you have your roles separated? Is there any reason for this? Typically you want to simplify AD as much as possible.

There are different scenarios where you would backup Active Directory. Restoring a single DC using system state backups is one method. Note that you need to take a system state backup for every DC in your environment that you might want to recover. If you backup DC1 only you cannot use this system state to restore DC2 (as an example).

I would also take a complete image of a DC that holds all of the FSMO roles, in the case of having to rebuild the entire domain (virus or ntds.dit database corrupt) etc. you can restore this image (Only this image) and then rebuild all other DC's from scratch and allow them to replicate from the restored DC. You would only do this in the event your entire domain needs to be restored.

I should able to restore those from this backup ASAP
When it comes to restoring individual objects you can use ldp.exe to restore objects from the hidden delete items container (as long it is before the tombstone period 60 days for 2000/2003 and 180 days for 2008 and up "be default")

You also have other features like the recycle bin which you can use to restore objects or complete OU's. In 2008 it can be difficult if you are not use to powershell, but in 2012 you have the recycle bin GUI now as well to make this function easier.
2012 also offers a way to virtualize/clone your DC's as well which can allow for faster recovery if there is ever a need.

Those are some of the things to consider when backing up and restoring AD.

Having a good system state is always a good idea even if it is only from 1 domain controller, but because the ntds.dit database is really not that large these type of backups should not take long at all.

Will.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
i would also suggest getting those servers to SP2
SP1 went out of support nearly 4 years ago
0
 

Author Comment

by:smpvm
Comment Utility
Thank You Experts, The FSMO roles are separated between DC01, Dc02 and DC03 because an external auditor instructed our management to do so as a best practice from Microsoft.

By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?

Can you please suggest me a good backup procedure i mean Daily Full Backup or Differential Backup, the good thing is that i have got a 1TB of storage space for domain controller backup space.

waiting for experts advice

Regards,
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?

If you want to ever restore a DC from backup you need to backup each DC that you might want to restore. You cannot use a system state backup example from DC01 and restore it to DC02. Each DC needs its own system state backup.

It really all depends on your environment, always do Full Backups when you are doing system state backups. You shouldn't have to do DC backups every night, I personally would do them weekly and do not keep anything older than 60 days (2000/2003) or 180 days (2008 and up) tombstone period.

The FSMO roles are separated between DC01, Dc02 and DC03 because an external auditor instructed our management to do so as a best practice from Microsoft.

As for the first comment above not sure where your auditor is getting their information. In any deployments I recommend FSMO roles are always designated to 1 DC. This is for simplicity and also possible latency issues if the roles are separated.

In some circumstances you would split the roles (very rare) but this only is necessary if it is an absolute requirement.
The link below outlines best practices for FSMO role placement and several reason why it is a good idea to keep them on the same server.

http://support.microsoft.com/kb/223346


Will.
0
 

Author Comment

by:smpvm
Comment Utility
Hello Will,

I am very sorry by asking very basic questions. Let me ask you a very last question which is about the location to backup. If i am need to take separate backups of DC01, DC02 and DC03 should i need to purchase separate external USB Hard Disk or Just map a shared folder to each of the domain controllers & show that mapped drives as the destination for the backup to store. What is the best method according your opinion because i am very new to this activity.

Regards,
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
No worry at all. It really all depends on the backup software you are using. I know that Windows Server Backup has a few limitations over other 3rd party backup software like Backup Exec or NetBackup. This really all depends on what you are using.

If your backup software supports backing up to a network share then you should be fine with the method you have described above. Making sure that your backups are scheduled out-side production hours, as it will cause network delays transferring the backup to another network share.

Will.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:smpvm
Comment Utility
Currently i don't have any backup tools, i was thinking to take backup using windows backup only to a Network shared folder will this method work ?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
This is supported on Server 2008R2 and server 2012/R2. See below link for details.
https://technet.microsoft.com/en-us/library/dd851825.aspx

Will.
0
 

Author Comment

by:smpvm
Comment Utility
Oh my god i have a windows 2008 SP1 32-Bit server which means i will not get this option right ?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
I have found the below link which states that it is still supported in 2008 SP1.

You can no longer back up to tape. (However, support of tape storage drivers is still included in Windows Server 2008.) Windows Server Backup supports backing up to external and internal disks, DVDs, and shared folders.

The link below is specifically for 2008.
https://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspx

Will.
0
 

Author Closing Comment

by:smpvm
Comment Utility
Thank you for giving me the solution.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
You're welcome!

Will.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now