Advise Needed on AD Backup

  • Thread starter Thread starter CP
  • Start date Start date
C

CP

Dear all,

I would like to backup my AD database. Can anyone advise which files /
system files should I back up in case of AD database corruption? Does the
restore will definitely work should we restore the necessary files?

Basically I would like to know more on how we minimise the impact of AD
failure..

Thanks in advance.

regards
CP
 
CP said:
Dear all,

I would like to backup my AD database. Can anyone advise which files /
system files should I back up in case of AD database corruption? Does the
restore will definitely work should we restore the necessary files?

Basically I would like to know more on how we minimise the impact of AD
failure..
Click to expand...

Backup system drive and system state form DC
 
Well, you should add redundancy in you environment i.e. add another DC (
based upon users) if you are really concerened about the single point of
failure.
You should also do a full backup of the DCs, you should include the "system
state', SYSVOL as the least minimum for the backup. The system state
includes the necessary files (ntds.dit) to restore ad in case of a failure.
The sysvol holds all of your GPO .inf files. The replication interval
between DCs is 5mins by default, so in case you made a errornous change on
one DC, and the change has replicated across, you should do a authoritative
restore of the DCs based upon how bad the desaster is. For. ex: if you
accidentely deleted an OU or a user object, you can do a non authoritative
restore of those object from the know good backup. There are some good MS
disaster recovery doc on MS site.

http://www.microsoft.com/resources/...rv/2003/standard/proddocs/en-us/ctasks001.asp

Also, the backup has a tombstone life of 60 days, meaning that after 60 days
it is a waste you cannot use it to restore a DC. Although you can raise this
default tombstone life time by modifying the schema attributes through adsi.

-Jim
 
CP,

In addition to having a good working backup I might suggest that you have at
least two Domain Controllers for each domain. This way if one of the
servers crashes you still have that second DC. You would just need to -
among other things - make sure to either transfer or seize the FSMO roles
that the crashed DC held. You can use the GUI or ntdsutil for this. Please
take a look at the following two MSKB articles:

http://support.microsoft.com/?id=255690
http://support.microsoft.com/?id=255504


HTH,

Cary
 
Dear all,

Thanks for your valuable advise, appreciate it very much. I will go through
the guides given thoroughly.

regards
CP
 
Back
Top