Best practices for Domain Controller backups in Server 2008

A

AMD_Gamer

Fully [H]
Joined
Jan 20, 2002
Messages
18,287
What do you use to backup Server 2008 DC's? Can you create a full disk image and then if something happens just re-image or does that cause problems with replication?

Also, I have server 2008 and was looking to use the built in windows backup along with Backup Exec but i Have been reading that backup Exec 12.5 is not supported in 2008 R2?
 
I like image based backups now.....they're becoming quite the standard. Benefit? Restore time!
Versus...just doing a backup of AD. Server goes Tango Uniform....and restoring requires a fresh install to get a bootable servicable OS..so you can run NTBackup and restore your AD..and then iron out the kinks.
 
So you just lose any changes to AD made since that image was made? will a backup DC on the domain replicate that to the old image?
 
YeOldeStonecat said:
Server goes Tango Uniform....and restoring requires a fresh install to get a bootable servicable OS..so you can run NTBackup and restore your AD..and then iron out the kinks.
Click to expand...

Actually not anymore. The Server 2008 / 2008 R2 / Vista / 7 Windows Backup that replaced NTbackup is actual image backup based on the Acronis engine.

We use Windows Backup for our internal environment and it works great. You can restore the backup by just booting the windows install disk and selecting repair computer. You can also convert the backup to a windows VHD so that you can mount it, unfortunately you can't boot from it, but oh well.

The only disadvantage is that you can't do incrementals over the wire, so that means you have to have a script that does a new backup every day to a new folder, which means you get a week of retention max.
 
Are these physical machines or virtual?

It is going to depend on what kind of downtime or disaster recovery procedure you are capable of recovering from.

Windows Backup has many restrictions in the latest version. For scheduled backups it can for the most part only save to a local drive or usb attached storage. No network backups or tape or anything. This isn't a bad thing if you only have one server and just attach a usb rotation to it. I can't speak on Backup Exec's behalf for DC backup complexity. I'm sure it will work fine.

Regarding replication; there are a few ways to recover. If the server fails and cannot be brought back online you will need to seize it's roles (if it had any) to the other domain controller using ntdsutil. You would then rebuild your failed DC, rejoin it to the domain, promote it to DC using dcpromo, and allow normal replication to occur (transfer back any roles). This would be a Non-authoritative restore.

Another possible scenario would be if an administrator accidentally deleted a bunch of OU's or made some large change that needed to be restored to a previous time. In this case, you will want to restore from a system state backup again (or just the ntds.dit file if you are only backing that up) and then use directory service restore mode to make that restored domain controller the authoritative server and all other servers would replicate from it.

I would suggest working on a disaster recover plan that includes the domain controllers. Also remember that you have two to begin with so if you are backing up those I would send it off site since you are pretty safe onsite.
 
timberdoodle said:
Windows Backup has many restrictions in the latest version. For scheduled backups it can for the most part only save to a local drive or usb attached storage. No network backups or tape or anything. This isn't a bad thing if you only have one server and just attach a usb rotation to it.
Click to expand...

Also not true. In server 2008 R2 and Windows 7 Backups to network locations are fully supported over UNC path, however again are not able to do incramental backups to a remote location. Windows 2008 is also able to backup remotely, however it is not supported.

A simple script for doing network backup would be this

wbadmin start backup -backupTarget:\\backuptarget\backupshare -allcritical -include:C: -vssFull -quiet

If you are using 2008 R1 remove -allcritical
 
timberdoodle said:
snapshots?
Click to expand...

Snapshots are not backups, and should never be treated as such. They are a snapshot of a system state that you can revert back to if you are testing out a configuration. I can not tell you how many times recovering a machine from a snapshot has failed or caused larger issues.
 
Please read that I said scheduled backups are not allowed on anything except local and usb drives. Obviously you can create a manual script around this. It's just not supported. Please see my included quote and link:

http://technet.microsoft.com/en-us/library/cc770266(WS.10).aspx

"Also, if you are a current user of the previous backup feature (Ntbackup.exe) that shipped in earlier versions of Windows, and plan to switch to the new Windows Server Backup, you might be affected by the following issues and changes:

You will need a separate, dedicated disk for running scheduled backups. "

C7J0yc3 said:
Also not true. In server 2008 R2 and Windows 7 Backups to network locations are fully supported over UNC path, however again are not able to do incramental backups to a remote location. Windows 2008 is also able to backup remotely, however it is not supported.

A simple script for doing network backup would be this

wbadmin start backup -backupTarget:\\backuptarget\backupshare -allcritical -include:C: -vssFull -quiet

If you are using 2008 R1 remove -allcritical
Click to expand...
 
This I agree with. I'm not sure through what technologies but it seems like it would be easier to backup just the vhd on a scheduled basis rather than do a full system state backup. Especially since it can be done for all the vm's and into a central data store. We use Veeam here to backup VMs but I'm not sure costs.

C7J0yc3 said:
Snapshots are not backups, and should never be treated as such. They are a snapshot of a system state that you can revert back to if you are testing out a configuration. I can not tell you how many times recovering a machine from a snapshot has failed or caused larger issues.
Click to expand...
 
C7J0yc3 said:
Snapshots are not backups, and should never be treated as such. They are a snapshot of a system state that you can revert back to if you are testing out a configuration. I can not tell you how many times recovering a machine from a snapshot has failed or caused larger issues.
Click to expand...
Nope, snapshots are a COW implementation ( change on write ). Saving the snap shot doesn't really do anything for you.

Now, taking a snapshot, copying the vmdk, then removing the snapshot. That's the ticket.
 
timberdoodle said:
Please read that I said scheduled backups are not allowed on anything except local and usb drives. Obviously you can create a manual script around this. It's just not supported. Please see my included quote and link:

http://technet.microsoft.com/en-us/library/cc770266(WS.10).aspx

"Also, if you are a current user of the previous backup feature (Ntbackup.exe) that shipped in earlier versions of Windows, and plan to switch to the new Windows Server Backup, you might be affected by the following issues and changes:

You will need a separate, dedicated disk for running scheduled backups. "
Click to expand...

Server 2008 R2 can do schedule over network.
 
So full image restores work fine in a domain environment? just re-image and everything should work like it did before the disaster?
 
AMD_Gamer said:
So full image restores work fine in a domain environment? just re-image and everything should work like it did before the disaster?
Click to expand...



That's exactly how it goes. I've done it a few times.

EDIT: I've even used it to recover partitions when i changed mine all around.
 
Last edited:
AMD_Gamer said:
So full image restores work fine in a domain environment? just re-image and everything should work like it did before the disaster?
Click to expand...

Sort of, a member server yes. A domain controller has a few extra steps required for everything to work properly.
 
You must log in or register to reply here.
Back
Top