In our
Backup / DR planning for AD I am devising the following
plan.
1. Use Backup Exec or some product that allows you to do some form
of Intelligent Disaster Recovery for a total hardware failure. You would
use this solution if one of the DC's that holds a FSMO role goes off-line and
can't be brought up normally.
2. Use NT Backup and backup all the DC system states and data to a
central location for backup.
3. Use ERDISK for AD to backup the AD databases on two servers per
domain for object level restores. (Run backup everyday for 30 days and
store it in a central location) Use the ERDISK utility to backup the rest of the
DC and Network Infrastructure servers. (Run once a week, use this just in case
you thwack something in the registry and want a quick way to create ER Disk for
recovery.)
Things
to keep in mind.
ERDISK
for AD must restore to the machine that it backs up from when doing online
restore. I would do restores on a box that doesn't hold the FSMO roles
just in case you screw up the server in the process. (It probably doesn't
matter, but that is why I have a rabbits foot.)
If you
seize a FSMO role from a server that is off-line, you can't bring that original
server back with reinstalling the OS and cleaning up the AD metadata. That
is why you should have backup solution one in place. If a server goes
off-line with a FSMO, don't transfer the role unless you can't recover the
server that holds the FSMO role.
Secure
Channel Trust are only good for 15 days. You might have to use NLTEST to
reset the trust of a machine you recover from a backup longer than 15
days.
Restore Users first, then groups.
Locate
your FSMO Roles as follows for easier DR.
Forest: Schema Master and Domain Naming Master on the same
machine. DC or GC
Domain: PDC Emulator and RID master on same machine DC or
GC.
Infrastructure Master on a
DC
IT is
probably best to rebuild a DC / GC fresh then continue to use one from a
restore.
hope
this helps, also this solution is probably best for a large AD. Some think
small like around 500 users can probably get by with NTBACKUP and ERDISK for
AD.
Todd
-----Original Message-----
From: Eoin Mooney [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 15, 2002 8:16 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD backup and restore applications ( besides NTBackup.exe )Hi all,
Apologies for any transgressions , first time in this mailing group.
I'm looking/evaluating Active Directory back and restore products. We have used NTBackup.exe but we found this limiting ( we want to back up AD but not Registry info as well ( Restore turned out to be a problem when PC wiped and rebuilt ) and it seems it does not allow us to unselect that option in system backup ( unless we are doing it incorrectly :-( ))
I have looked/found another product but that is all , do any of you know of other 3rd party AD backup and restore products that I can look at ( I have tried ERDisk by Aelita )
Thanks for any help
Eoin
