Best/safest way to backup AD

[Allen]

Hi.

I was wondering what is the best way and/or the safest way
to backup AD, for a successful restore, if need be.
Can a ghost image of my main DC be used to recover/restore
in a situation where the main DC's hard drives completely
crash?

Thanks

Allen

 

[Cary Shultz [A.D. MVP]]

Allen,

I would suggest that you have a second Domain Controller. This way is one
goes down you still have the second DC so you are not in a mess ( love that
redundancy! ). However, even with multiple DCs you still need a back up.
You can either go cheap and use the built-in NTBackup or you can purchase a
third party product, such as Veritas Backup Exec. We use Backup Exec
exclusively and it works well.

To backup your AD you would simply choose to backup the 'System State'. If
you use the DC as a file server then you would need to consider setting up a
second job to back up all the user folders/files.

HTH,

Cary

 

[Guest]

Thanks Cary.

we actually do have a secondary DC (does it become the
primary if the primary goes down?), and we do have Veritas
BackupExec 9.1, with a system state backup on my backup
Job.
However, just to satisfy my curiousity, can making an
Image with Norton Ghost be a good backup? I mean if
something happens, just to pop a new drive to my server,
and restoring that image, would that be a good recovery
for that DC?

Thanks
Allen

 

[Cary Shultz [A.D. MVP]]

You are welcome.

And to answer your questions:

1) there is no more concept of primary and secondary in WIN2000. A domain
controller is simply that: a domain controller. So, no - the secondary does
not become the primary if the primary goes down. It does become the only /
sole DC if the other one goes down, though. I would use this language to
avoid any confusion.....

2) not a good idea. It will not work. I might suggest that you set up a
test lab and play with this.

HTH,

Cary

 

[Allen]

Thank you very much.

I will try #2 in a test lab environment.

Allen

 

[Eric Fleischman [MSFT]]

Just to expand upon something Cary mentioned. While there isn't a concept of
a single "primary" dc in w2k, we do have certain functions which are tied to
a single dc (these dc's are said to hold the fsmo roles). When the owner of
a given role is down, that function can not be performed. The saving grace
is that few of these are truly mission critical in the strictest sense of
the word (although some may argue that subsets of their functionality are in
certain cases) so even if a FSMO role is down for some period of time things
will churn along just fine.

If you query KB on FSMO you'll probably get many hits back talking about
what they are and what they do.

~Eric

 

[Cary Shultz [A.D. MVP]]

Eric,

Thank you for filing in the holes!

Allen, as Eric stated, there are five FSMO Roles that are important in
WIN2000 Active Directory. These roles are as follows: the Schema Master,
the Domain Naming Master, the PDC Emulator, the RID Master and the
Infrastructure Master. The first two FSMO Roles are Forest-wide and the
last three are Domain-wide. In a single domain tree / forest the roles of
Infrastructure Master and Domain Naming Master are typically not needed (
pretty much what Eric was mentioning ).

HTH,

Cary

Just to expand upon something Cary mentioned. While there isn't a concept of
a single "primary" dc in w2k, we do have certain functions which are tied to
a single dc (these dc's are said to hold the fsmo roles). When the owner of
a given role is down, that function can not be performed. The saving grace
is that few of these are truly mission critical in the strictest sense of
the word (although some may argue that subsets of their functionality are in
certain cases) so even if a FSMO role is down for some period of time things
will churn along just fine.

If you query KB on FSMO you'll probably get many hits back talking about
what they are and what they do.

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Thank you very much.

I will try #2 in a test lab environment.

Allen

 

[Eric Fleischman [MSFT]]

In a single domain tree / forest the roles of

Infrastructure Master and Domain Naming Master are typically not needed (
pretty much what Eric was mentioning ).

I've gotta disagree with you in part there Cary. Keep in mind that with
w2k03 we can create application partitions. In fact, this is done
automatically for two such partitions by DNS. DNS will create a domaindns
and forestdns app partition out of the box (even in a single domain
environment) and the creation of those crossref's will require the domain
naming master to be online. That gives you greater replication control of
your name records for the zones hosted in those app partitions, over and
above what we would have observed if they were in the domain NC.

I agree re: IM though.

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric,

Thank you for filing in the holes!

Allen, as Eric stated, there are five FSMO Roles that are important in
WIN2000 Active Directory. These roles are as follows: the Schema Master,
the Domain Naming Master, the PDC Emulator, the RID Master and the
Infrastructure Master. The first two FSMO Roles are Forest-wide and the
last three are Domain-wide. In a single domain tree / forest the roles of
Infrastructure Master and Domain Naming Master are typically not needed (
pretty much what Eric was mentioning ).

HTH,

Cary

Just to expand upon something Cary mentioned. While there isn't a

concept

of
a single "primary" dc in w2k, we do have certain functions which are

tied

to
a single dc (these dc's are said to hold the fsmo roles). When the owner of
a given role is down, that function can not be performed. The saving grace
is that few of these are truly mission critical in the strictest sense of
the word (although some may argue that subsets of their functionality

are

in
certain cases) so even if a FSMO role is down for some period of time things
will churn along just fine.

If you query KB on FSMO you'll probably get many hits back talking about
what they are and what they do.

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Thank you very much.

I will try #2 in a test lab environment.

Allen
-----Original Message-----
You are welcome.

And to answer your questions:

1) there is no more concept of primary and secondary in
WIN2000. A domain
controller is simply that: a domain controller. So, no -
the secondary does
not become the primary if the primary goes down. It does
become the only /
sole DC if the other one goes down, though. I would use
this language to
avoid any confusion.....

2) not a good idea. It will not work. I might suggest
that you set up a
test lab and play with this.

HTH,

Cary

Thanks Cary.

we actually do have a secondary DC (does it become the
primary if the primary goes down?), and we do have
Veritas
BackupExec 9.1, with a system state backup on my backup
Job.
However, just to satisfy my curiousity, can making an
Image with Norton Ghost be a good backup? I mean if
something happens, just to pop a new drive to my server,
and restoring that image, would that be a good recovery
for that DC?

Thanks
Allen
-----Original Message-----
Allen,

I would suggest that you have a second Domain
Controller. This way is one
goes down you still have the second DC so you are not
in
a mess ( love that
redundancy! ). However, even with multiple DCs you
still
need a back up.
You can either go cheap and use the built-in NTBackup
or
you can purchase a
third party product, such as Veritas Backup Exec. We
use
Backup Exec
exclusively and it works well.

To backup your AD you would simply choose to backup
the 'System State'. If
you use the DC as a file server then you would need to
consider setting up a
second job to back up all the user folders/files.

HTH,

Cary



message
Hi.

I was wondering what is the best way and/or the
safest
way
to backup AD, for a successful restore, if need be.
Can a ghost image of my main DC be used to
recover/restore
in a situation where the main DC's hard drives
completely
crash?

Thanks

Allen


.



.

 

[Cary Shultz [A.D. MVP]]

Eric,

Sorry for the late reply. I have been really busy of late and am just now
looking at the NG.

Thank you for the correction. I was basing my reply on a WIN2000
environment. I have not really looked at WIN2003 yet as I just have not had
the time. Looks like I am going to have to do this so that I can give
better answers now that WIN2003 is out and a lot of people are posting their
WIN2003 questions here in the WIN2000 NG.

Always learn something from your posts!

Thanks again,

Cary

In a single domain tree / forest the roles of
Infrastructure Master and Domain Naming Master are typically not needed (
pretty much what Eric was mentioning ).

I've gotta disagree with you in part there Cary. Keep in mind that with
w2k03 we can create application partitions. In fact, this is done
automatically for two such partitions by DNS. DNS will create a domaindns
and forestdns app partition out of the box (even in a single domain
environment) and the creation of those crossref's will require the domain
naming master to be online. That gives you greater replication control of
your name records for the zones hosted in those app partitions, over and
above what we would have observed if they were in the domain NC.

I agree re: IM though.

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric,

Thank you for filing in the holes!

Allen, as Eric stated, there are five FSMO Roles that are important in
WIN2000 Active Directory. These roles are as follows: the Schema Master,
the Domain Naming Master, the PDC Emulator, the RID Master and the
Infrastructure Master. The first two FSMO Roles are Forest-wide and the
last three are Domain-wide. In a single domain tree / forest the roles of
Infrastructure Master and Domain Naming Master are typically not needed (
pretty much what Eric was mentioning ).

HTH,

Cary

Just to expand upon something Cary mentioned. While there isn't a

concept

of
a single "primary" dc in w2k, we do have certain functions which are

tied

to
a single dc (these dc's are said to hold the fsmo roles). When the

owner
of

a given role is down, that function can not be performed. The saving grace
is that few of these are truly mission critical in the strictest sense of
the word (although some may argue that subsets of their functionality

are

in
certain cases) so even if a FSMO role is down for some period of time things
will churn along just fine.

If you query KB on FSMO you'll probably get many hits back talking about
what they are and what they do.

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Thank you very much.

I will try #2 in a test lab environment.

Allen
-----Original Message-----
You are welcome.

And to answer your questions:

1) there is no more concept of primary and secondary in
WIN2000. A domain
controller is simply that: a domain controller. So, no -
the secondary does
not become the primary if the primary goes down. It does
become the only /
sole DC if the other one goes down, though. I would use
this language to
avoid any confusion.....

2) not a good idea. It will not work. I might suggest
that you set up a
test lab and play with this.

HTH,

Cary

Thanks Cary.

we actually do have a secondary DC (does it become the
primary if the primary goes down?), and we do have
Veritas
BackupExec 9.1, with a system state backup on my backup
Job.
However, just to satisfy my curiousity, can making an
Image with Norton Ghost be a good backup? I mean if
something happens, just to pop a new drive to my server,
and restoring that image, would that be a good recovery
for that DC?

Thanks
Allen
-----Original Message-----
Allen,

I would suggest that you have a second Domain
Controller. This way is one
goes down you still have the second DC so you are not
in
a mess ( love that
redundancy! ). However, even with multiple DCs you
still
need a back up.
You can either go cheap and use the built-in NTBackup
or
you can purchase a
third party product, such as Veritas Backup Exec. We
use
Backup Exec
exclusively and it works well.

To backup your AD you would simply choose to backup
the 'System State'. If
you use the DC as a file server then you would need to
consider setting up a
second job to back up all the user folders/files.

HTH,

Cary



message
Hi.

I was wondering what is the best way and/or the
safest
way
to backup AD, for a successful restore, if need be.
Can a ghost image of my main DC be used to
recover/restore
in a situation where the main DC's hard drives
completely
crash?

Thanks

Allen


.



.

 

[Eric Fleischman [MSFT]]

Oh definitely read up on application partitions (aka NDNC's.....as in
non-domain naming contexts). Very cool. Create a naming context of some sort
and have dc-by-dc replication control on the fly. IE say "I want these 17
dc's to have the nc" and those 17 dc's could be all over the forest. Of
course, using ntdsutil, you can add and remove dc's from that list on the
fly (or adsiedit for the brave).

With w2k03's AD there are some limitations, such as naming. ADAM takes those
sorts of bariers away for us among many others.

We use NDNC's for not too many things out of the box, DNS being the big one.
So you may want to take _msdcs from the forest root and make just that piece
in to a forest-wide replication scope where all DNS servers in the forest
get a copy of it (which is in fact done by default) as we know all dc's will
need it for replication. You can further control replication of a given zone
based upon this using the DNS UI or, for the brave, you can of course
control it on a dc-by-dc basis using ntdsutil/adsiedit. The DNS UI has
several good default selections, and those selections work for most people,
but don't think that is all you can do. You can extend it to further areas
should you choose to do so.

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric,

Sorry for the late reply. I have been really busy of late and am just now
looking at the NG.

Thank you for the correction. I was basing my reply on a WIN2000
environment. I have not really looked at WIN2003 yet as I just have not had
the time. Looks like I am going to have to do this so that I can give
better answers now that WIN2003 is out and a lot of people are posting their
WIN2003 questions here in the WIN2000 NG.

Always learn something from your posts!

Thanks again,

Cary



needed

(

pretty much what Eric was mentioning ).

I've gotta disagree with you in part there Cary. Keep in mind that with
w2k03 we can create application partitions. In fact, this is done
automatically for two such partitions by DNS. DNS will create a domaindns
and forestdns app partition out of the box (even in a single domain
environment) and the creation of those crossref's will require the domain
naming master to be online. That gives you greater replication control of
your name records for the zones hosted in those app partitions, over and
above what we would have observed if they were in the domain NC.

I agree re: IM though.

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric,

Thank you for filing in the holes!

Allen, as Eric stated, there are five FSMO Roles that are important in
WIN2000 Active Directory. These roles are as follows: the Schema Master,
the Domain Naming Master, the PDC Emulator, the RID Master and the
Infrastructure Master. The first two FSMO Roles are Forest-wide and the
last three are Domain-wide. In a single domain tree / forest the

roles

of

needed

(

pretty much what Eric was mentioning ).

HTH,

Cary


Just to expand upon something Cary mentioned. While there isn't a concept
of
a single "primary" dc in w2k, we do have certain functions which are tied
to
a single dc (these dc's are said to hold the fsmo roles). When the owner
of
a given role is down, that function can not be performed. The saving grace
is that few of these are truly mission critical in the strictest

sense
of

the word (although some may argue that subsets of their

functionality
are

in
certain cases) so even if a FSMO role is down for some period of time
things
will churn along just fine.

If you query KB on FSMO you'll probably get many hits back talking about
what they are and what they do.

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Thank you very much.

I will try #2 in a test lab environment.

Allen
-----Original Message-----
You are welcome.

And to answer your questions:

1) there is no more concept of primary and secondary in
WIN2000. A domain
controller is simply that: a domain controller. So, no -
the secondary does
not become the primary if the primary goes down. It does
become the only /
sole DC if the other one goes down, though. I would use
this language to
avoid any confusion.....

2) not a good idea. It will not work. I might suggest
that you set up a
test lab and play with this.

HTH,

Cary

Thanks Cary.

we actually do have a secondary DC (does it become the
primary if the primary goes down?), and we do have
Veritas
BackupExec 9.1, with a system state backup on my backup
Job.
However, just to satisfy my curiousity, can making an
Image with Norton Ghost be a good backup? I mean if
something happens, just to pop a new drive to my server,
and restoring that image, would that be a good recovery
for that DC?

Thanks
Allen
-----Original Message-----
Allen,

I would suggest that you have a second Domain
Controller. This way is one
goes down you still have the second DC so you are not
in
a mess ( love that
redundancy! ). However, even with multiple DCs you
still
need a back up.
You can either go cheap and use the built-in NTBackup
or
you can purchase a
third party product, such as Veritas Backup Exec. We
use
Backup Exec
exclusively and it works well.

To backup your AD you would simply choose to backup
the 'System State'. If
you use the DC as a file server then you would need to
consider setting up a
second job to back up all the user folders/files.

HTH,

Cary



message
Hi.

I was wondering what is the best way and/or the
safest
way
to backup AD, for a successful restore, if need be.
Can a ghost image of my main DC be used to
recover/restore
in a situation where the main DC's hard drives
completely
crash?

Thanks

Allen


.



.

 

[Cary Shultz [A.D. MVP]]

gonna do it when things slow down.

As always, Thank you!

Cary

Oh definitely read up on application partitions (aka NDNC's.....as in
non-domain naming contexts). Very cool. Create a naming context of some sort
and have dc-by-dc replication control on the fly. IE say "I want these 17
dc's to have the nc" and those 17 dc's could be all over the forest. Of
course, using ntdsutil, you can add and remove dc's from that list on the
fly (or adsiedit for the brave).

With w2k03's AD there are some limitations, such as naming. ADAM takes those
sorts of bariers away for us among many others.

We use NDNC's for not too many things out of the box, DNS being the big one.
So you may want to take _msdcs from the forest root and make just that piece
in to a forest-wide replication scope where all DNS servers in the forest
get a copy of it (which is in fact done by default) as we know all dc's will
need it for replication. You can further control replication of a given zone
based upon this using the DNS UI or, for the brave, you can of course
control it on a dc-by-dc basis using ntdsutil/adsiedit. The DNS UI has
several good default selections, and those selections work for most people,
but don't think that is all you can do. You can extend it to further areas
should you choose to do so.

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Eric,

Sorry for the late reply. I have been really busy of late and am just now
looking at the NG.

Thank you for the correction. I was basing my reply on a WIN2000
environment. I have not really looked at WIN2003 yet as I just have not had
the time. Looks like I am going to have to do this so that I can give
better answers now that WIN2003 is out and a lot of people are posting their
WIN2003 questions here in the WIN2000 NG.

Always learn something from your posts!

Thanks again,

Cary

In a single domain tree / forest the roles of
Infrastructure Master and Domain Naming Master are typically not

needed

(
pretty much what Eric was mentioning ).

I've gotta disagree with you in part there Cary. Keep in mind that with
w2k03 we can create application partitions. In fact, this is done
automatically for two such partitions by DNS. DNS will create a domaindns
and forestdns app partition out of the box (even in a single domain
environment) and the creation of those crossref's will require the domain
naming master to be online. That gives you greater replication control of
your name records for the zones hosted in those app partitions, over and
above what we would have observed if they were in the domain NC.

I agree re: IM though.

~Eric


--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Eric,

Thank you for filing in the holes!

Allen, as Eric stated, there are five FSMO Roles that are important in
WIN2000 Active Directory. These roles are as follows: the Schema Master,
the Domain Naming Master, the PDC Emulator, the RID Master and the
Infrastructure Master. The first two FSMO Roles are Forest-wide and the
last three are Domain-wide. In a single domain tree / forest the

roles

of
Infrastructure Master and Domain Naming Master are typically not

needed

(
pretty much what Eric was mentioning ).

HTH,

Cary


Just to expand upon something Cary mentioned. While there isn't a
concept
of
a single "primary" dc in w2k, we do have certain functions which are
tied
to
a single dc (these dc's are said to hold the fsmo roles). When the owner
of
a given role is down, that function can not be performed. The saving
grace
is that few of these are truly mission critical in the strictest sense
of
the word (although some may argue that subsets of their functionality
are
in
certain cases) so even if a FSMO role is down for some period of time
things
will churn along just fine.

If you query KB on FSMO you'll probably get many hits back talking about
what they are and what they do.

~Eric

--
Eric Fleischman [MSFT]
This posting is provided "AS IS" with no warranties, and confers no
rights
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Thank you very much.

I will try #2 in a test lab environment.

Allen
-----Original Message-----
You are welcome.

And to answer your questions:

1) there is no more concept of primary and secondary in
WIN2000. A domain
controller is simply that: a domain controller. So, no -
the secondary does
not become the primary if the primary goes down. It does
become the only /
sole DC if the other one goes down, though. I would use
this language to
avoid any confusion.....

2) not a good idea. It will not work. I might suggest
that you set up a
test lab and play with this.

HTH,

Cary

Thanks Cary.

we actually do have a secondary DC (does it become the
primary if the primary goes down?), and we do have
Veritas
BackupExec 9.1, with a system state backup on my backup
Job.
However, just to satisfy my curiousity, can making an
Image with Norton Ghost be a good backup? I mean if
something happens, just to pop a new drive to my server,
and restoring that image, would that be a good recovery
for that DC?

Thanks
Allen
-----Original Message-----
Allen,

I would suggest that you have a second Domain
Controller. This way is one
goes down you still have the second DC so you are not
in
a mess ( love that
redundancy! ). However, even with multiple DCs you
still
need a back up.
You can either go cheap and use the built-in NTBackup
or
you can purchase a
third party product, such as Veritas Backup Exec. We
use
Backup Exec
exclusively and it works well.

To backup your AD you would simply choose to backup
the 'System State'. If
you use the DC as a file server then you would need to
consider setting up a
second job to back up all the user folders/files.

HTH,

Cary



message
Hi.

I was wondering what is the best way and/or the
safest
way
to backup AD, for a successful restore, if need be.
Can a ghost image of my main DC be used to
recover/restore
in a situation where the main DC's hard drives
completely
crash?

Thanks

Allen


.



.