Does anyone have experience with this? I have some. I can only speak to separating and backing up only the AD DB state without registry, etc.
We used to use this method alot in testing AD, we had a little utility / unit test called dsback.exe, that would just trigger AD's streaming backup / restore support. It basically worked. Achtung! Note, this is VERY different than just copying off the AD DB, and copying it back later. This uses the regular backup / restore infrastructure, so it does the right things, and changes the invocation ID during restore. We only worked w/in a fairly narrow constraint when doing such testing, though, which is that the restore was back to the same machine, which had not changed its DC state. Also the backup we used was never very old, i.e. made hours or at most a few days before. We didn't restore just the AD DB to fresh install (obviously this wouldn't work). Also I'm 91% sure we didn't restore the AD DB to a different DC. I'm fairly certain anything but the same DC backup/restore is unlikely to work, or will have some issues. The problem with even the limited case I mention above, it is not entirely clear what security sub-systems expect the AD DB and registry to be in sync ... i.e. perhaps machine account password changing (or any of probably a dozen to several dozen suspect operations), requires the two to be in sync, we wouldn't know such issues until someone managed to get a backup / restore spanning such an event, and given the limited time nature of our testing w/ this method, it was unlikely we shook out any issues there. Is it supported? No. Achtung! If you come to PSS w/ problems, and they learn how you've done this (and if you hide it, you're just an <one of my favorite offensive words deleted>), the first thing they'll ask is, "Do you have any real backups of system state?" What are the dangers of using such a system? Unknown. I can't even say, I'm convinced there isn't a big bad hairy monster hiding in this closet, frankly I don't know. I do know it will work for the AD DB most of the time. I myself wouldn't do it to production. Cheers, BrettSh On Wed, 3 May 2006, Almeida Pinto, Jorge de wrote: > I do have thoughts what could go wrong, but was wondering if someone has > experience with this. Anyone? Anyone? > > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : <see sender address> > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de > Sent: Tue 2006-05-02 15:30 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] backup/restore of DCs with third party tool > > > > Hi, > > I was wondering if someone has any experience with "HP Openview Storage data > Protector Manager" concerning the backup and restore of domain controllers. > > With NTBACKUP and third party backup/restore tools I have worked with until > now to backup/restore a DC you needed to select the system state which > contains the following components: > > * > "COM+ Class Registration database" (always included) > * > "Boot files including the system files" (always included) > * > "Certificate Services database" (only for certificate services server) > * > "Active Directory directory service" (only for directory server) > * > "SYSVOL structure" (only for directory server) > * > "Cluster service information" (only for cluster server) > * > "IIS Metabase" (only for IIS server) > > Microsoft defined the system state as the collection of these components and > during backup or restore it was always an all-or-nothing selection. Of course > there is a good reason for that as several components interact/work with each > other. > > However, with "HP Openview Storage data Protector Manager" the possibility > exists to select individual components of the system state during backup or > restore. > I wonder what the impact is of restoring individual components of the system > state (not all) (e.g. only AD without SYSVOL and registry, etc.) > > Can anyone elaborate on that? Does anyone have experience with this? > > Thank you! > > Cheers, > jorge > > > > Met vriendelijke groeten / Kind regards, > Ing. Jorge de Almeida Pinto > Senior Infrastructure Consultant > MVP Windows Server - Directory Services > > LogicaCMG Nederland B.V. (BU RTINC Eindhoven) > ( Tel : +31-(0)40-29.57.777 > ( Mobile : +31-(0)6-26.26.62.80 > * E-mail : <see sender address> > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an > intended recipient then please promptly delete this e-mail and any attachment > and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/