Active Directory Backup

HI All,

I need to find the best solution for an image level backup for active directory and the write up a strategy for the organisation I work.

My thoughts were to create a virtual domain controller and backup domain controller using snapshots/veeam etc. However if the physical domain controller were to fail, do the fismo roles automatically get transferred to another domain controller?


All suggestions/advice will be greatly appreciated.
Kelly GarciaSenior Systems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Image Level backup is not supported Server 2012 allows you to Clone your DC's that are running server 2012. Even at that point there are a lot of prerequists that need to be met before you can do "DC Cloning".

fismo roles automatically get transferred to another domain controller?
FSMO roles do not transfer automaitcally. this is a complete manual process.

If you do not meet the requirements for DC Cloning then the most appropriate method for backup would be a system state backup .

However, i personally also try and stay away from System Restores as well. I would just create a new DC and have this DC replicate from a partner that is currently online. This way you know that the DC's in syncing the correct information.

Take a look at the link below which outlines DC Cloning.
https://technet.microsoft.com/en-us/library/hh831734.aspx

DC Cloning Step-by-Step
http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx

Simply doing a DC clone within VMware is not a supported method and can create replication issues within your domain if you proceed with this method.

Will.
0
AmitIT ArchitectCommented:
As Will mentioned above, better to do system state back or have more than on DC in your org. This is the best way to run your DC environment. Using snap-shot restore. You might face USN roll back issues. Until your complete domain is not crashed, don't need to try any restore.

If you have 2008 R2 and above, just enable recycle bin option. That will be give you option to restore any deleted object, back to its original state.
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Use a Active Directory Application Aware Backup Product - Veeam Backup and Replication is one such product.

However if the physical domain controller were to fail, do the fismo roles automatically get transferred to another domain controller?

No, you have to transfer them manually.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Will SzymkowskiSenior Solution ArchitectCommented:
Use a Active Directory Application Aware Backup Product - Veeam Backup and Replication is one such product.

You may be able to backup the system state with this product but I would not restore the entire image with it, this is not supported in an AD environment and you WILL run into issues.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kelly GarciaSenior Systems AdministratorAuthor Commented:
Hi Amit,

Thank you for the links, very useful, I do think wbadmin is the way forward, does this require windows server backup role installed?

Also will wbadmin store the backups on the local drives? like  c:\ d:\, etc

My thoughts are to create a virtual domain controller, and then to run the wbadmin start systemstatebackup as a scheduled task. then backup the virtual domain controller with HP dataprotector - that's what we are currently using in our environment.

in case of a physical domain controller failure, we can simply seize the roles - if it contains any and place it elsewhere? will this cause any problems? idea then is to rebuild the entire domain controller by formatting then installing active directory and then reading to the domain?

thank you in advance,
Kelly
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
I have just spoken to my boss, the main concern is a physically domain that contains the roles going down, what's the best solution to this?

my collegues say that if we seize the roles in that situation it will cause problems, is that true?
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
if we transfer the Fismo role to a virtual, will there be any performance issues?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I have just spoken to my boss, the main concern is a physically domain that contains the roles going down, what's the best solution to this?

and have High Availability!

Virtualise EVERYTHING!

if we transfer the Fismo role to a virtual, will there be any performance issues?

No.

my collegues say that if we seize the roles in that situation it will cause problems, is that true?

Based on what evidence, ask your informed colleague to site his source!
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
we have image level backups on virtual domain controllers using HP data proctor should we use wbadmin instead?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Is HP Data Protector, Active Directory Aware ?
0
AmitIT ArchitectCommented:
You just need to install Windows backup on any DC and configure and start the system state backup. I take nearly four backups every day, as changes are update very fast in my environment. Seize and Transfer FSMO role is only required, when your FSMO is down. Best you spilt FSMO role on multiple server. Domain wide on one server and forest wide on another one.

Authoritative restores are rare, best to use recycle bin option.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Image level backups are not supported period.

I have stated this several times. System State backup is the supported method (as i have stated in my first post). Also if you are doing any cloning then you need to follow the requirements that are listed in the link i posted in my first comment as well.

Simply taking a FULL image is not the way you backup Active Directory. As also based on the other posters comments you need to ensure that you have enough system resources to facilitate a DC before you just go ahead and virtualize it.

There are also other considerations as well like the PDC time source when moving a DC to a VM environment.

Another thing that i also recommend is keeping at least 1 DC physical. If for whatever reason your entire VM environment fails or is unrechable SAN failure etc and you have all of your DC's virtualized then you will not be able to login or do anything on your network.

At least if you have 1 DC physical this is outside of the VM environment you are not "dead in the water".

Simply saying VM everything does not help the user and what was asked in the initial question.

Will.
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
how do I use the recyle bin option?
0
Will SzymkowskiSenior Solution ArchitectCommented:
The recycle bin option is supported in a 2008R2 Forest/Domain Functional Level (minimum requirement) or higher. You also need to enable this featrue as it is not enabled by default. However, this only restores objects that were deleted from Active Direcotry. This is not recovery solution in itself for Active Directory as a whole.

You also need to be aware that even if you do not have a 2008R2 domain FFL DFL you can still recover deleted objects using LDP.exe. I have illustrated this as a HowTo on my website. See below for details.

http://www.wsit.ca/how-tos/active-directory/restore-active-directory-objects-usnig-ldp-exe-no-recycle-bin-feature-required/

Will.
0
AmitIT ArchitectCommented:
Thanks for great article Will. Does that also restore permission and group membership. With Recycle bin option, it restores everything back to old state. I also use to restore using ADRestore tool, however, I need to add memberof again.

@kay07949
Here it recycle bin option.
https://technet.microsoft.com/en-us/library/dd379481(v=ws.10).aspx
0
Will SzymkowskiSenior Solution ArchitectCommented:
Unfortunately with the LDP.exe restore it does not restore the group memberships.

Will.
0
AmitIT ArchitectCommented:
Thanks Will, that's why I am recommending recycle bin option.
0
Will SzymkowskiSenior Solution ArchitectCommented:
However, the recycle bin options is not a "receovery solution" in itself. Yes it will recover individual objects but is not a Completed AD Recovery Solution as i have stated previously.

I outlined this because I do not want the asker to get false hope thinking that the Recycle Bin feature will solve all of his problems, when it comes to restoring Active Directory.

Will.
0
AmitIT ArchitectCommented:
Yep, you 110% right :)
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
how do i check if the recycle bin feature is enabled?
0
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It was posted in http:#a40824337

But this is off topic, from the original question asked.
0
Will SzymkowskiSenior Solution ArchitectCommented:
All you need to do is run the following powershell cmdlet.

import-module activedirectory
Get-ADOptionalFeature -Filter {name -eq "Recycle Bin Feature"} | fl

Open in new window


Look at "EnabledScopes" if you do not see anything beside this setting then it is not enabled.

Not Enabled = {}

Enabled = {CN=Partitions,CN=Configuration,DC=a,DC=com, CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com}

Will.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.