You could indeed schedule NTBackup to do a backup to disk locally; install a second HD just for that, then back that up to tape. It's pretty simple, really. It would also eliminate the need for DA rights for the backup account. Evaluate how you will restore the DCs in the event of a failure. Will you actually restore the backup or would you wipe and rebuild and let replication take care of synching AD? How will the remote office handle a dead DC while you restore or rebuild? Determining your recovery method will provide clarity for your backup solution.
We use a different local backup account for every server, and use Steve Riley's passgen to change the account pws regularly via scripting. Backup accts are a known attack vector, and using a domain-level account for that access allows an attacker to compromise one machine and then use that account for attacking other machines. When using local accounts for backup, it significantly reduces that risk. Makes for a more complicated backup configuration, but they aren't paying me to just do the easy stuff. For DCs I use an account that is a member of the Administrators group in the domain rather than the Domain admins group. It's a minor but significant difference in that the account for the DCs cannot logon to member servers. I would much prefer that I could use a backup operators group account to back up system state on a DC, or that there was another type of account that could back that up but had no other rights. BTW; if you provide the remote admins the ability to restart the DCs and they have physical access, they own those DCs and there's nothing you can do about it. Our model was to not put DCs in remote offices, especially since there were no resource servers in those offices. We had pulled all resources back to HQ and upped the WAN links to reduce latency, which allowed me to avoid remote DC placement. Works well for us, and makes security design simpler. YMMV... ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Freddy HARTONO > Sent: Tuesday, October 18, 2005 6:29 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Veritas and DC backup > > Hi Charlie > > Thanks for that, yeah basically it works under DA/EA but > that's an overkill > as I only want to delegate basic stuff to site admins (yeah > problem with > distributed control :( > > Any suggestions...of course other than buying quest adrestore > (wishlist)..otherwise ill most probabbly backup to a remote > disk and get > veritas to backup that as a file (two step troublesome)... > > > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9740 - temp > > -----Original Message----- > From: Charlie Kaiser [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 18, 2005 9:27 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Veritas and DC backup > > One of my peeves with BE; it requires domain admin rights to > completely back > up a DC. You can't get system state without it. > http://seer.support.veritas.com/docs/243033.htm > > > ********************** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ********************** > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Freddy > > HARTONO > > Sent: Tuesday, October 18, 2005 3:34 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Veritas and DC backup > > > > Hi all, > > > > Just a quick question, is anyone using Backupexec to backup domain > > controllers - remotely perhaps? > > > > Basically we have a distributed model here and we are trying to let > > the site admins manage the domain controllers (in terms of > restarting > > the server) - yeah I know this is bad - and do backup but > without the > > ability of Domain Admins. > > > > The only problem that we have is that we are unable to backup using > > Backup Operators rights via Veritas 9 - for some reason. > And even if > > we comes to that part - Backup Operators will have logon > rights to all > > machines in the domain (on default)... which is bad > > > > Any ideas please? Sort of bad as we do not have a 24/7 > domain admins > > on rotates.. > > > > > > Thank you and have a splendid day! > > > > Kind Regards, > > > > Freddy Hartono > > Group Support Engineer > > InternationalSOS Pte Ltd > > mail: [EMAIL PROTECTED] > > phone: (+65) 6330-9740 - temp > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
