smpvm
asked on
AD Backup strategy
Hello Expert,
The current AD Infrastructure of our company consists of 3 Domain Controllers as follows:-
1) DC01:-
Server Name:-DC01
Architecture:-Physical Server
Operating System Installed: - Windows Server 2008 SP1 Standard Edition
Server type: - 32-bit
Antivirus Installed:- McAfee VirusScan Enterprise +Antispyware Enterprise
Domain Functional Level:- Windows Server 2008
Flexible Single Operations Masters (FSMO) running:-PDC Emulator and Relative Identifier (RID) Master
Server Roles Installed:-
*DNS
*DHCP
*Global Catalog (GC)
2) CUDDC02:-
Server Name:-DC02
Architecture:-Physical Server
Operating System Installed: - Windows Server 2008 SP1 Standard Edition
Server type: - 32-bit
Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
Domain Functional Level:- Windows Server 2008
Flexible Single Operations Masters (FSMO) running:-Domain Naming and Schema Master
Server Roles Installed:-
*DNS
*Global Catalog (GC)
3) DC03:-
Server Name:-DC03
Architecture:-Virtual Server
Operating System Installed: - Windows Server 2008 SP1 Standard Edition
Server type: - 32-bit
Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
Domain Functional Level:- Windows Server 2008
Flexible Single Operations Masters (FSMO) running:-Infrastructure Master
Server Roles Installed:-
*DNS
*Global Catalog (GC)
My question is, Do I need to take daily full Backup of these entire 3 Domain Controllers (DC01, DC02 & DC03) separately or only one domain controller. The requirement is whenever a server failure happens or any object got accidently deleted from AD, I should able to restore those from this backup ASAP.
Please advise me what is the best strategy to backup (Full back up or Incremental or Differential Backup) domain controllers based on the above scenario.
Thank you for the excellent support we are getting from all the "Experts" from Expert-Exchange.
Regards,
The current AD Infrastructure of our company consists of 3 Domain Controllers as follows:-
1) DC01:-
Server Name:-DC01
Architecture:-Physical Server
Operating System Installed: - Windows Server 2008 SP1 Standard Edition
Server type: - 32-bit
Antivirus Installed:- McAfee VirusScan Enterprise +Antispyware Enterprise
Domain Functional Level:- Windows Server 2008
Flexible Single Operations Masters (FSMO) running:-PDC Emulator and Relative Identifier (RID) Master
Server Roles Installed:-
*DNS
*DHCP
*Global Catalog (GC)
2) CUDDC02:-
Server Name:-DC02
Architecture:-Physical Server
Operating System Installed: - Windows Server 2008 SP1 Standard Edition
Server type: - 32-bit
Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
Domain Functional Level:- Windows Server 2008
Flexible Single Operations Masters (FSMO) running:-Domain Naming and Schema Master
Server Roles Installed:-
*DNS
*Global Catalog (GC)
3) DC03:-
Server Name:-DC03
Architecture:-Virtual Server
Operating System Installed: - Windows Server 2008 SP1 Standard Edition
Server type: - 32-bit
Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
Domain Functional Level:- Windows Server 2008
Flexible Single Operations Masters (FSMO) running:-Infrastructure Master
Server Roles Installed:-
*DNS
*Global Catalog (GC)
My question is, Do I need to take daily full Backup of these entire 3 Domain Controllers (DC01, DC02 & DC03) separately or only one domain controller. The requirement is whenever a server failure happens or any object got accidently deleted from AD, I should able to restore those from this backup ASAP.
Please advise me what is the best strategy to backup (Full back up or Incremental or Differential Backup) domain controllers based on the above scenario.
Thank you for the excellent support we are getting from all the "Experts" from Expert-Exchange.
Regards,
i would also suggest getting those servers to SP2
SP1 went out of support nearly 4 years ago
SP1 went out of support nearly 4 years ago
ASKER
Thank You Experts, The FSMO roles are separated between DC01, Dc02 and DC03 because an external auditor instructed our management to do so as a best practice from Microsoft.
By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?
Can you please suggest me a good backup procedure i mean Daily Full Backup or Differential Backup, the good thing is that i have got a 1TB of storage space for domain controller backup space.
waiting for experts advice
Regards,
By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?
Can you please suggest me a good backup procedure i mean Daily Full Backup or Differential Backup, the good thing is that i have got a 1TB of storage space for domain controller backup space.
waiting for experts advice
Regards,
By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?
If you want to ever restore a DC from backup you need to backup each DC that you might want to restore. You cannot use a system state backup example from DC01 and restore it to DC02. Each DC needs its own system state backup.
It really all depends on your environment, always do Full Backups when you are doing system state backups. You shouldn't have to do DC backups every night, I personally would do them weekly and do not keep anything older than 60 days (2000/2003) or 180 days (2008 and up) tombstone period.
The FSMO roles are separated between DC01, Dc02 and DC03 because an external auditor instructed our management to do so as a best practice from Microsoft.
As for the first comment above not sure where your auditor is getting their information. In any deployments I recommend FSMO roles are always designated to 1 DC. This is for simplicity and also possible latency issues if the roles are separated.
In some circumstances you would split the roles (very rare) but this only is necessary if it is an absolute requirement.
The link below outlines best practices for FSMO role placement and several reason why it is a good idea to keep them on the same server.
http://support.microsoft.com/kb/223346
Will.
ASKER
Hello Will,
I am very sorry by asking very basic questions. Let me ask you a very last question which is about the location to backup. If i am need to take separate backups of DC01, DC02 and DC03 should i need to purchase separate external USB Hard Disk or Just map a shared folder to each of the domain controllers & show that mapped drives as the destination for the backup to store. What is the best method according your opinion because i am very new to this activity.
Regards,
I am very sorry by asking very basic questions. Let me ask you a very last question which is about the location to backup. If i am need to take separate backups of DC01, DC02 and DC03 should i need to purchase separate external USB Hard Disk or Just map a shared folder to each of the domain controllers & show that mapped drives as the destination for the backup to store. What is the best method according your opinion because i am very new to this activity.
Regards,
No worry at all. It really all depends on the backup software you are using. I know that Windows Server Backup has a few limitations over other 3rd party backup software like Backup Exec or NetBackup. This really all depends on what you are using.
If your backup software supports backing up to a network share then you should be fine with the method you have described above. Making sure that your backups are scheduled out-side production hours, as it will cause network delays transferring the backup to another network share.
Will.
If your backup software supports backing up to a network share then you should be fine with the method you have described above. Making sure that your backups are scheduled out-side production hours, as it will cause network delays transferring the backup to another network share.
Will.
ASKER
Currently i don't have any backup tools, i was thinking to take backup using windows backup only to a Network shared folder will this method work ?
This is supported on Server 2008R2 and server 2012/R2. See below link for details.
https://technet.microsoft.com/en-us/library/dd851825.aspx
Will.
https://technet.microsoft.com/en-us/library/dd851825.aspx
Will.
ASKER
Oh my god i have a windows 2008 SP1 32-Bit server which means i will not get this option right ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for giving me the solution.
You're welcome!
Will.
Will.
There are different scenarios where you would backup Active Directory. Restoring a single DC using system state backups is one method. Note that you need to take a system state backup for every DC in your environment that you might want to recover. If you backup DC1 only you cannot use this system state to restore DC2 (as an example).
I would also take a complete image of a DC that holds all of the FSMO roles, in the case of having to rebuild the entire domain (virus or ntds.dit database corrupt) etc. you can restore this image (Only this image) and then rebuild all other DC's from scratch and allow them to replicate from the restored DC. You would only do this in the event your entire domain needs to be restored.
When it comes to restoring individual objects you can use ldp.exe to restore objects from the hidden delete items container (as long it is before the tombstone period 60 days for 2000/2003 and 180 days for 2008 and up "be default")
You also have other features like the recycle bin which you can use to restore objects or complete OU's. In 2008 it can be difficult if you are not use to powershell, but in 2012 you have the recycle bin GUI now as well to make this function easier.
2012 also offers a way to virtualize/clone your DC's as well which can allow for faster recovery if there is ever a need.
Those are some of the things to consider when backing up and restoring AD.
Having a good system state is always a good idea even if it is only from 1 domain controller, but because the ntds.dit database is really not that large these type of backups should not take long at all.
Will.