System State Backup for AD and Restoring

Looking into this more as I get ready to re-install Server 2008 R2. I think I have figured out the steps to create a system state backup for ad by following http://blog.pluralsight.com/backup-and-restore-active-directory-on-windows-server-2008. This is so I do not lose my users/groups within AD. I also prefer to not have the local machines create new profiles when they login and have missing pieces on desktop/documents etc.

After that, I would re-install Server 2008. At what point during that install would I do the Authoritative Restore of Active Directory to get my users etc back?

Also, regarding robocopy is the correct line for me to use to grab everything on D: partition and copy to e:\ServBack\? robocopy d: e:\ServBack /e /copyall  

I am wanting to keep all permissions to the folders when I copy to E, and then again when I copy them back to the D: partition after the OS re-install.

Thanks!
ZephyrMAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Why are you reinstalling?

Backup and restores are fine... but... I would say you're safer to simply add another temporary DC, then demote the original and rebuild.  Once done, demote the temp DC and you're finished and preserved.

Another point, it would be safer still if you plan on rebuilding, to remove the existing drives and save the order they are removed from the system (and slots they may be in) and put in NEW drives.  Drives are fairly cheap and if you make a mistake, restoring is as easy as re-inserting the old drives.

Basically, there's a lot of suggestions and options I can probably offer, but I don't want to be typing out paragraphs of "if you want this... then..." without knowing why you're doing this.
ZephyrMAuthor Commented:
Lee, I am re-installing due to partition size being too small on C: (20gb) and not enough room for Microsoft updates etc. With the way the raid setup was done, I can't use software to change the size of the partitions unfortunately.
Lee W, MVPTechnology and Business Process AdvisorCommented:
So here's the thing, if this were a VM, you'd be able to simply move the VM to another server and rebuild this host.

So, here's what I'd recommend you do:

Setup Hyper-V on an existing system or even use a Windows 8 Pro workstation with Client Hyper-V.  Then "P2V" your existing physical server.  Once virtualized, you can extend the existing "hard drive" and your server will be done for a very limited amount of time.

Once virtualized on a temporary system, reconfigure the storage on your host. Then Install Hyper-V on that.  (5Nine Manager is a great free tool for small environments to manage and create VMs on the Free Hyper-V Server 2012).

Once your rebuilt host is ready, you can shutdown the VM on the temporary server and export it.  Then import it into the new server.  Done.  you've minimized your down time, you've expanded your (now virtual) hard drive, and you've made your systems MUCH easier to manage remotely and even move to new hardware.

ONE CATCH - you can't do this if you tried to save $200 or so when you bought the server and bought Windows with the Server.  As a rule, NEVER, EVER, buy OEM Server Operating systems (those that are pre-installed at the factory.  Buy Volume Licenses.  Are they more expensive?  Yes, a little, but they are MUCH, MUCH more flexible!
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ZephyrMAuthor Commented:
I prefer not doing the virtualized  option as I'm not familiar at all with it and also don't have the other hardware to make do as you were mentioning.

Also, the operating system was purchased separately from the hardware.

I think I still prefer backing up the ad, re-installing, and then getting the ad back. I will be using the same exact hardware for this. If I had another box I'd be looking at a different option.

Thoughts?
Lee W, MVPTechnology and Business Process AdvisorCommented:
Thoughts?  Understand, I've been working in IT for over 20 years and if there's one thing I've learned it's to be as conservative as possible.  If you can potentially avoid interruption of your users, you should.  If you have never done something major and you want to do that major thing on your production network, you should perform tests first.

Virtualization is not new.  It's been a core part of Windows Server for 7 years.  You need to get familiar with this sooner than later.  By not knowing it, you're limiting yourself and causing a loss of functionality that should be unnecessary.

Should a backup and restore work?  Yes... but nothing beats experience to make sure you don't miss a checkbox or misunderstand a setting.

The SAFEST thing is to build a temporary system.  Period.  Don't have a temporary system?  Go buy a $50 500 GB hard drive and pull the drive out of one of your workstations.  Migrate to that.  Then migrate back from them.  Going virtual saves the second DC migration, but if you really don't want to do that, then it's just adding another DC a second time.
ZephyrMAuthor Commented:
Lee, back to my original post,

After that, I would re-install Server 2008. At what point during that install would I do the Authoritative Restore of Active Directory to get my users etc back?

Also, regarding robocopy is the correct line for me to use to grab everything on D: partition and copy to e:\ServBack\? robocopy d: e:\ServBack /e /copyall  

I am wanting to keep all permissions to the folders when I copy to E, and then again when I copy them back to the D: partition after the OS re-install.

I would prefer doing virtual stuff on different test boxes. This one I need to fix the primary partition is a simple install, 1 ad, 1 ou, 5 groups and like 30 users.

Thanks for your replies.
ZephyrMAuthor Commented:
Also, not worried about users access as I'll be doing this tomorrow after everyone leaves the office for the weekend. So just need it up  and running by Monday morning but I won't have any one trying to access files etc.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Even worse - you have to give up your weekend!  Or at least a good chunk of it.

I don't normally use robocopy.  Nothing wrong with doing so, but I'm not sure the switches off hand.

Normally, I use XCOPY /E /C /H /O /V /Y and redirect standard error to a file so I see all errors if there are any.

The last time I did a system state restore of a DC was YEARS ago... I generally wouldn't because I always have two DCs or imaged backups of the server.  I'll repeat - whatever procedure you use, you need to test.

To some extent, I wouldn't even bother with Robocopy or xcopy.  Stop and ask yourself, if these disks failed tonight, how would you restore everything.  You're currently using OLD drives (as far as I can surmise).  Probably past their warranty period.  You're not near getting a new server or you probably would be... so to ensure you don't end up losing data, I would STRONGLY encourage you to purchase new disks and treat this entire process as a disaster recovery test.  Just leave it in place when done.  Or restore your old drives for a few days if something doesn't work properly.

Honestly, having had to do similar things for clients in the past, your procedure is, in my opinion, especially without prior testing of your backups and understanding of exactly what to expect through experience, risky at best.  I wish you luck, but I think you're doing this wrong.  If you're not confident in your skills to forklift this network for 30 users, I would strongly encourage you to contract with someone who is.  REALLY not trying to offend, just concerned about your direction and risks involved for you.
Will SzymkowskiSenior Solution ArchitectCommented:
@ZephyrM

You need to perform the authoritative restore of your system state backup once you have installed the OS with your patches.

That is all that is required before you do your system state restore.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZephyrMAuthor Commented:
Thanks Will. There isn't a whole lot of patches (unless you are talking Windows updates)

Also, regarding robocopy is the correct line for me to use to grab everything on D: partition and copy to e:\ServBack\? robocopy d: e:\ServBack /e /copyall  

I am wanting to keep all permissions to the folders when I copy to E, and then again when I copy them back to the D: partition after the OS re-install.
Will SzymkowskiSenior Solution ArchitectCommented:
You may also want to add a couple more switches.

robocopy.exe /E /B /SEC /SECFIX

Backup mode will copy files that are also open. /SEC and /SECFIX will copy security permissions exactly If this is something you are after.

A side from that everything looks fine. And yes i am referring to Windows OS patches.

Will.
ZephyrMAuthor Commented:
Thanks Will. I will give that a try.
ZephyrMAuthor Commented:
Thought of one other question. Would it be wise to leave the domain on all local computers. And then rejoin once server is rebuilt? Or does it matter when I do it? the domain is going to be the same as before.

*I am thinking if ad backup fails for some reason*
Will SzymkowskiSenior Solution ArchitectCommented:
Would it be wise to leave the domain on all local computers. And then rejoin once server is rebuilt?

I don't think i understand the question? Can you please re-phrase this?

Will.
ZephyrMAuthor Commented:
Local computers are already on domain . Is it needed to leave the domain and then rejoin after server rebuild? Or just leave as part of the domain and re-install?
Will SzymkowskiSenior Solution ArchitectCommented:
You are taking a backup of the current domain so nothing changes. Machines will not need to be re-added to the domain once the restore has been completed.

Will.
ZephyrMAuthor Commented:
Gotcha, first time backing up to do a full restore like this wasn't sure if the DC would be included in the AD backup.

Thanks again.  I plan on getting started on this this evening.
Will SzymkowskiSenior Solution ArchitectCommented:
Excellent, good luck!

Will.
ZephyrMAuthor Commented:
Will, a little update where I currently stand. Last night I was able to perform the ad backup which said it successfully completed. I was able to backup my storage drive with robocopy which worked fine. I then re-installed and got the point of recovering the old ad and running into a prob.

No matter where I look, wbadmin get versions is telling me no backup is found. I can see the folder that it went to (external drive) and do see some files in there.  Any idea why it is telling me there isn't anything there? I have attached an image of the folder where the files are that should have been the backup.

Also, not sure but when I logged into DSRM, typed my password in it logged in fine. My notes say to use the password you used when creating the AD. It loaded new install without AD setup, is that correct still?
ZephyrMAuthor Commented:
Whoops forgot the attachment.
backupimage.jpg
ZephyrMAuthor Commented:
So just to let you know where I am currently. I was able to get the systemstate backup to work it appears through windowsbackup and did an authoritative restore. That then brought be back to where I was before except in my admin tools start menu, i have no active directory users/groups, dns, dhcp etc that I used to have. I am thinking I need to edit something with the domain controller at this point?

I can go through part of ad and see users/groups where i would normally add/edit users. It's just not how i would normally go to get there.

I do have errors like active directory domain services was unable to establish a connection with the global catalog.

Can you recommend the next step in getting this domain back into the forest as it should? (I think that is what needs to happen)

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.