Backing-up Domain Controller

[StarTrek4U]

So I'm installing and configuring a new backup software at my organization and I've been thinking about if I should even bother to backup my domain controllers. I have two in my organization, both running in an HA VMware cluster (3 Hosts, the DCs are on seperate hosts). The VMWare setup is highly redundant using multiple network paths, hardware redundancy, etc.

So as I'm thinking about this it appears that the likelyhood of both DCs going down is very low, and even if one/both did- at that point it would be easier just to rebuild them instead of trying to do a fresh windows install then restore certain parts, etc. Especially considering that if both are lost chances are I have a much bigger problem on my hands anyway (DR here we come!)

I'm wondering what other people do with their setups and if I'm smoking something or if in the real world this makes sense.

 

[k1pp3r]

You should always perform a full backup of active directory and or the primary DC.

Backup DC's its best to backup so in the event one goes bye bye you don't have to manually rip out the meta data from AD

 

[slowbiznatch]

Especially considering that if both are lost chances are I have a much bigger problem on my hands anyway (DR here we come!)

Why would you want to add to your problems because you don't have a backup for your AD? Backup nightly, and keep a weekly backup offsite.

 

[QHalo]

NTBackup or if you're using 2008, wbadmin. NTBackup is what I've used to backup a DC and also restore from in a DR scenario.

 

[StarTrek4U]

NT backup is what I have been using, and I guess will continue to use- I guess my thought was that in the event that both my DCs are gone I would be in some sort of major DR mode in which case it would be easier to just build two new DCs and make a new domain from scratch... however now that I think that through a bit more I'm realizing the serious problems that would probably create... so, backups it is!

 

[MrGuvernment]

no it wouldn't be easier because then you have to recreate all of the user accounts, set up their computers, copy over files and so on.

it is easier to just load a backup.

 

[QHalo]

NT backup is what I have been using, and I guess will continue to use- I guess my thought was that in the event that both my DCs are gone I would be in some sort of major DR mode in which case it would be easier to just build two new DCs and make a new domain from scratch... however now that I think that through a bit more I'm realizing the serious problems that would probably create... so, backups it is!

Restore a domain controller from NTBackup and you'll see just how easy it really is.

You could restore it in a virtualized environment and test it out for yourself. It's really simple and it works like a champ too.

 

[SpaceHonkey]

I thought best practices were to keep at least part of your core services (AD, DHCP, DNS) physical. Backups, are fine for virtual, but especially if your VM environment relies on these core services - you could creating a catch 22 situation, especially considering how picky VMware is about DNS.

That said, I know it's entirely possible to bring up an environment manually (say if your vCenter server relied on AD, and you use manually config'd hosts files [as you should]) but it sure would be easier if you had some form of core services available physical instead of having to console to each ESX host an manually starting VMs.

As for AD backups - use NTBackup

 

[Private Citizen]

Question. When restoring AD from NTBackup, what would the process be?

Do you install the OS and then restore from backup or do you install the OS, make the domian and then restore all AD objects from backup?

Just wondering in case of a disaster. I haven't had to do this yet and I hope I never do.

 

[k1pp3r]

Question. When restoring AD from NTBackup, what would the process be?

Pray.

Honestly restoring AD is a pain in the ass for production environments, to the point where i would recommend using a good backup software with support from the vendor

 

[Cardinals]

Question. When restoring AD from NTBackup, what would the process be?

Do you install the OS and then restore from backup or do you install the OS, make the domian and then restore all AD objects from backup?

Just wondering in case of a disaster. I haven't had to do this yet and I hope I never do.

Straight from the Horse's mouth.

Technet Library

 

[nessus]

Backups are useful for situations other than a full loss of a DC as well.

Say your HR department needs to have the passwords for a lot of very seldom used accounts (2500 or so) reset to a known value based off of the individuals personal information so they can use a web based benefits system for the yearly renewal of insurance. Say they inverted the data and instead of having you reset the passwords on the accounts for the 2500 least active users, they have you reset the passwords for the 2500 most active users. Your helpdesk begins lighting up like a Christmas tree.

Just having multiple DCs does nothing for you in this situation.

Having an NT backup file to perform an authoritative restore of just the user OUs, getting 98 percent of the 2500 users back in action an hour later saving the helpdesk from having to do 2500 user password reset calls. Priceless.

And they never found the body of the HR person who gave me that input file...