You could indeed schedule NTBackup to do a backup to disk locally;
install a second HD just for that, then back that up to tape. It's
pretty simple, really. It would also eliminate the need for DA rights
for the backup account. Evaluate how you will restore the DCs in the
event of a failure. Will you actually restore the backup or would you
wipe and rebuild and let replication take care of synching AD? How will
the remote office handle a dead DC while you restore or rebuild?
Determining your recovery method will provide clarity for your backup
solution.
We use a different local backup account for every server, and use Steve
Riley's passgen to change the account pws regularly via scripting.
Backup accts are a known attack vector, and using a domain-level account
for that access allows an attacker to compromise one machine and then
use that account for attacking other machines. When using local accounts
for backup, it significantly reduces that risk. Makes for a more
complicated backup configuration, but they aren't paying me to just do
the easy stuff.
For DCs I use an account that is a member of the Administrators group in
the domain rather than the Domain admins group. It's a minor but
significant difference in that the account for the DCs cannot logon to
member servers. I would much prefer that I could use a backup operators
group account to back up system state on a DC, or that there was another
type of account that could back that up but had no other rights.
BTW; if you provide the remote admins the ability to restart the DCs and
they have physical access, they own those DCs and there's nothing you
can do about it. Our model was to not put DCs in remote offices,
especially since there were no resource servers in those offices. We had
pulled all resources back to HQ and upped the WAN links to reduce
latency, which allowed me to avoid remote DC placement. Works well for
us, and makes security design simpler. YMMV...
**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Freddy HARTONO
Sent: Tuesday, October 18, 2005 6:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Veritas and DC backup
Hi Charlie
Thanks for that, yeah basically it works under DA/EA but
that's an overkill
as I only want to delegate basic stuff to site admins (yeah
problem with
distributed control :(
Any suggestions...of course other than buying quest adrestore
(wishlist)..otherwise ill most probabbly backup to a remote
disk and get
veritas to backup that as a file (two step troublesome)...
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9740 - temp
-Original Message-
From: Charlie Kaiser [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 18, 2005 9:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Veritas and DC backup
One of my peeves with BE; it requires domain admin rights to
completely back
up a DC. You can't get system state without it.
http://seer.support.veritas.com/docs/243033.htm
**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy
HARTONO
Sent: Tuesday, October 18, 2005 3:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Veritas and DC backup
Hi all,
Just a quick question, is anyone using Backupexec to backup domain
controllers - remotely perhaps?
Basically we have a distributed model here and we are trying to let
the site admins manage the domain controllers (in terms of
restarting
the server) - yeah I know this is bad - and do backup but
without the
ability of Domain Admins.
The only problem that we have is that we are unable to backup using
Backup Operators rights via Veritas 9 - for some reason.
And even if
we comes to that part - Backup Operators will have logon
rights to all
machines in the domain (on default)... which is bad
Any ideas please? Sort of bad as we do not have a 24/7
domain admins
on rotates..
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9740 - temp
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org
