We help IT Professionals succeed at work.
Troubleshooting Question

Active Directory Database, SYSVOL and System State in Windows Domain Controllers

84 Views
Last Modified: 2020-09-29
Should we backup the Active Directory Database, SYSVOL and System State in the domain controllers?

Are we able to restore a deleted object like a user account from it?

If yes, what would be the repercussions after a restore of an object or the AD database? Like replication issues?
Comment
Watch Question

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Should we backup the Active Directory Database, SYSVOL and System State in the domain controllers?
It's a good practice to do backup of the system state. A combination of the system state backup and multi DC environment is usually what admins consider as enough.

Are we able to restore a deleted object like a user account from it?
Enable Active Directory Recycle Bin to be able to restore a deleted object. Do not restore AD for this purposes.

If yes, what would be the repercussions after a restore of an object or the AD database? Like replication issues?     
In those cases, you don't restore objects this way. It would break things. You usually restore objects with AD Recycle Bin or you simply recreate a user or group manually. This is much safer way than operations with AD restore that might break things.

You restore AD in case you have one crashed DC in the network. If you have multiple DCs, you simply rebuild a crashed DC, install all roles and let it replicate.                                  
Hypercat (Deb)President
CERTIFIED EXPERT

Commented:
Many of the more robust 3rd party backup software packages have the ability to back up the system state and Active Directory objects. Some also claim (for example, Backup Exec) that they can restore individual user accounts and other objects.  However, I've never had a need to test whether this actually works. I would think of it as a last-ditch solution in the case of a crashed/non functional DC where there are no other DCs on the network. As Hello There mentioned, it seems safer to simply recreate the account or group or rebuild the server completely if possible.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
AD Recycle Bin has been generally available for abut 10 years now. You really, really should have AD Recycle Bin enabled. You also really need to have have and complete backups of at least 1 full domain controller in case of catastrophic disaster such as ransomware disabling your domain controller(s). Having multiple DCs is also good, but you first need full backups of a DC (and have the backup protected against ransomware) and AD Recycle Bin. 
https://www.lepide.com/blog/how-to-enable-ad-recycle-bin/ 
GiboSystems Engineer

Author

Commented:
Can't enable AD recycle bin as current domain or forest functionality is 2003, have old windows servers like 2008, that option is greyed out too.

Thanks for sharing all your good info & points.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Do you have Windows 2003 Domain Controllers? If you don't, then you can upgrade your domain and forest levels. You can have a Windows 2003 domain member in a 2008, 2008 R2, 2012, 2012 R2, or 2016 level domain.
GiboSystems Engineer

Author

Commented:
plus our backups does not include the granular restore of a deleted AD object i.e. can only restore the AD database

does the AD database include the sysvol & system state as well?

please advise
GiboSystems Engineer

Author

Commented:
I can check, I think the older Windows domain controller we have is a 2012 & 2008 domain member servers.

If we have a 2012 DC as the oldest, what domain or forest functionality should we raise it up to in order get that "recycle bin" option in AD?
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
AD Recycle Bin requires 2008 R2 or higher. As long as you don't plan on introducing new earlier OS versions of DCs, do as high as your current DCs will allow.
GiboSystems Engineer

Author

Commented:
I am concern if we raise the domain functionality that may create issues w/ our older Windows 2008 domain member servers with a Windows 2012 server as the oldest domain controller?
System Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
GiboSystems Engineer

Author

Commented:
"To the highest possible which is Windows Server 2012 domain functional level in your case."

So raising to Windows Server 2012, the "recycle bin" option becomes available in AD?

Please confirm, thanks.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Yes, correct.
GiboSystems Engineer

Author

Commented:
Please note, we have another forest trust to this forest but w/ a functionality of Windows Server 2016 & I see the "recycle bin" option is available.
GiboSystems Engineer

Author

Commented:
1st forest w/ .com domain & 2nd trusted forest w/ .local domain
GiboSystems Engineer

Author

Commented:
1st forest .com domain has 2003 functionality level while 2nd forest .local domain has 2016 functionality level

No issues if we raise 2003 to 2012?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
GiboSystems Engineer

Author

Commented:
Noted, tnx!
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
You are welcome!
DrDave242Principal Support Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
GiboSystems Engineer

Author

Commented:
Noted.

Which domain controller/s should have their Active Directory Database, SYSVOL and System State as backups?

Is there a specific DC or any DC will suffice?
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Any full DC that is a global catalog server and holds DNS. Remember that every full DC is equal.
Backup up a RODC for purposes of AD recovery is pointless.
If you have more than 1 domain, you need a backup of a DC from each an every domain.
GiboSystems Engineer

Author

Commented:
Noted, good info to know, thank you!
GiboSystems Engineer

Author

Commented:
a full DC would mean any DC that holds the GC & AD DNS and/or any FSMO roles?
DrDave242Principal Support Engineer
CERTIFIED EXPERT

Commented:
I believe a "full DC" in this context just means a writable DC (i.e., not a read-only DC, if you have any of those if your environment).

FSMO roles aren't really important in terms of selecting a DC to back up; they can always be seized in the event of a complete disaster. If you have all of them on a single DC, though, you may as well back that one up, assuming it's also a GC and DNS server.

Also, note that system state on a DC includes the AD database and SYSVOL:

https://support.arcserve.com/s/article/202835575?language=en_US

GiboSystems Engineer

Author

Commented:
noted w/ thanks
GiboSystems Engineer

Author

Commented:
sorry for the dragging too many questions, since we cannot restore the deleted accounts anymore from AD using this path, is it possible to restore their email MS 365 backups & mount them to their newly re-created accounts as separate mailboxes?

we are in a hybrid exchange environment i.e an on-premise AD/exchange & office 365

you can answer or not since it getting already out of this topic but would appreciate any feedback, thanks
GiboSystems Engineer

Author

Commented:
opened another question for the mailboxes
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.