AD Backup strategy

Hello Expert,
The current AD Infrastructure of our company consists of 3 Domain Controllers as follows:-
1)      DC01:-
      Server Name:-DC01
      Architecture:-Physical Server
      Operating System Installed: - Windows Server 2008 SP1 Standard Edition
      Server type: - 32-bit
      Antivirus Installed:- McAfee VirusScan Enterprise +Antispyware Enterprise
      Domain Functional Level:- Windows Server 2008
      Flexible Single Operations Masters (FSMO) running:-PDC Emulator and Relative Identifier (RID) Master
      Server Roles Installed:-
      *DNS
      *DHCP
      *Global Catalog (GC)
2) CUDDC02:-
      Server Name:-DC02
      Architecture:-Physical Server
      Operating System Installed: - Windows Server 2008 SP1 Standard Edition
      Server type: - 32-bit
      Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
      Domain Functional Level:- Windows Server 2008
      Flexible Single Operations Masters (FSMO) running:-Domain Naming and Schema Master
       Server Roles Installed:-
      *DNS
      *Global Catalog (GC)
3) DC03:-
      Server Name:-DC03
      Architecture:-Virtual Server
      Operating System Installed: - Windows Server 2008 SP1 Standard Edition
      Server type: - 32-bit
      Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
      Domain Functional Level:- Windows Server 2008
      Flexible Single Operations Masters (FSMO) running:-Infrastructure Master
       Server Roles Installed:-
      *DNS
      *Global Catalog (GC)


My question is, Do I need to take daily full Backup of these entire 3 Domain Controllers (DC01, DC02 & DC03) separately or only one domain controller. The requirement is whenever a server failure happens or any object got accidently deleted from AD, I should able to restore those from this backup ASAP.
Please advise me what is the best strategy to backup (Full back up or Incremental or Differential Backup) domain controllers based on the above scenario.

Thank you for the excellent support we are getting from all the "Experts" from Expert-Exchange.

Regards,
smpvmAsked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
I have found the below link which states that it is still supported in 2008 SP1.

You can no longer back up to tape. (However, support of tape storage drivers is still included in Windows Server 2008.) Windows Server Backup supports backing up to external and internal disks, DVDs, and shared folders.

The link below is specifically for 2008.
https://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspx

Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
first question is why do you have your roles separated? Is there any reason for this? Typically you want to simplify AD as much as possible.

There are different scenarios where you would backup Active Directory. Restoring a single DC using system state backups is one method. Note that you need to take a system state backup for every DC in your environment that you might want to recover. If you backup DC1 only you cannot use this system state to restore DC2 (as an example).

I would also take a complete image of a DC that holds all of the FSMO roles, in the case of having to rebuild the entire domain (virus or ntds.dit database corrupt) etc. you can restore this image (Only this image) and then rebuild all other DC's from scratch and allow them to replicate from the restored DC. You would only do this in the event your entire domain needs to be restored.

I should able to restore those from this backup ASAP
When it comes to restoring individual objects you can use ldp.exe to restore objects from the hidden delete items container (as long it is before the tombstone period 60 days for 2000/2003 and 180 days for 2008 and up "be default")

You also have other features like the recycle bin which you can use to restore objects or complete OU's. In 2008 it can be difficult if you are not use to powershell, but in 2012 you have the recycle bin GUI now as well to make this function easier.
2012 also offers a way to virtualize/clone your DC's as well which can allow for faster recovery if there is ever a need.

Those are some of the things to consider when backing up and restoring AD.

Having a good system state is always a good idea even if it is only from 1 domain controller, but because the ntds.dit database is really not that large these type of backups should not take long at all.

Will.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
i would also suggest getting those servers to SP2
SP1 went out of support nearly 4 years ago
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
smpvmAuthor Commented:
Thank You Experts, The FSMO roles are separated between DC01, Dc02 and DC03 because an external auditor instructed our management to do so as a best practice from Microsoft.

By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?

Can you please suggest me a good backup procedure i mean Daily Full Backup or Differential Backup, the good thing is that i have got a 1TB of storage space for domain controller backup space.

waiting for experts advice

Regards,
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
By the way according to your suggestion i came to understand that i have to take Backups of all domain controllers on daily basis otherwise if one domain controller fails i will not have a luxury to restore that domain controller is that right ?

If you want to ever restore a DC from backup you need to backup each DC that you might want to restore. You cannot use a system state backup example from DC01 and restore it to DC02. Each DC needs its own system state backup.

It really all depends on your environment, always do Full Backups when you are doing system state backups. You shouldn't have to do DC backups every night, I personally would do them weekly and do not keep anything older than 60 days (2000/2003) or 180 days (2008 and up) tombstone period.

The FSMO roles are separated between DC01, Dc02 and DC03 because an external auditor instructed our management to do so as a best practice from Microsoft.

As for the first comment above not sure where your auditor is getting their information. In any deployments I recommend FSMO roles are always designated to 1 DC. This is for simplicity and also possible latency issues if the roles are separated.

In some circumstances you would split the roles (very rare) but this only is necessary if it is an absolute requirement.
The link below outlines best practices for FSMO role placement and several reason why it is a good idea to keep them on the same server.

http://support.microsoft.com/kb/223346


Will.
0
 
smpvmAuthor Commented:
Hello Will,

I am very sorry by asking very basic questions. Let me ask you a very last question which is about the location to backup. If i am need to take separate backups of DC01, DC02 and DC03 should i need to purchase separate external USB Hard Disk or Just map a shared folder to each of the domain controllers & show that mapped drives as the destination for the backup to store. What is the best method according your opinion because i am very new to this activity.

Regards,
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
No worry at all. It really all depends on the backup software you are using. I know that Windows Server Backup has a few limitations over other 3rd party backup software like Backup Exec or NetBackup. This really all depends on what you are using.

If your backup software supports backing up to a network share then you should be fine with the method you have described above. Making sure that your backups are scheduled out-side production hours, as it will cause network delays transferring the backup to another network share.

Will.
0
 
smpvmAuthor Commented:
Currently i don't have any backup tools, i was thinking to take backup using windows backup only to a Network shared folder will this method work ?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
This is supported on Server 2008R2 and server 2012/R2. See below link for details.
https://technet.microsoft.com/en-us/library/dd851825.aspx

Will.
0
 
smpvmAuthor Commented:
Oh my god i have a windows 2008 SP1 32-Bit server which means i will not get this option right ?
0
 
smpvmAuthor Commented:
Thank you for giving me the solution.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You're welcome!

Will.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.