Re: Backup a W2K Domain Controller?
Given the Examples of backup reasons below: Has any one every had a AD corruption that that used TSM to recover from after the GC's have already replicated that corrupted data out? If so, did TSM support stand by them all the way until the issue was resolved?? We are sort of leery about using TSM so the simple reason that they always say We do not support BMR and on a DC with AD this is critical. Any help would be great 1.) Botched Schema update 2.) Accidental deletion of OU (or any other object) 3.) Database corruption (AD Corruption) 4.) System State. 5.) Accidentally deletion of a DNS zone 6.) Some DC's are also File/Print servers, DHCP, etc. *** Some of these scenarios would require an authoritative restore or a complete rebuild of the Active Directory, as some changes are replicated immediately. -Original Message- From: Jon Adams [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 1:09 AM To: [EMAIL PROTECTED] Subject: Re: Backup a W2K Domain Controller? Thank you Jim. I will add this to the followong reasons I just learned a few moments ago: Botched Schema update Accidental deletion of OU (or any other object) Database corruption System State Accidentally deletion of a DNS zone Some DC's are also File/Print servers, DHCP, etc. Some of these scenarios would require an authoritative restore or a complete rebuild of the Active Directory, as some changes are replicated immediately. ...and as you mentioned Jim, time to synch. verses restore. -Original Message- From: Jim Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 10, 2002 5:57 PM To: [EMAIL PROTECTED] Subject: Re: Backup a W2K Domain Controller? Jon, I'm sure there are a number of pros and cons and I'll let others chime in ... one advantage of having a backup of the Active Directory on a given DC is time to recovery. While you can bring an active directory back by simply installing it and letting it synchronize to catch-up to the rest of the organization, this synchronization can take quite a long time depending on the size of the directory. In this case, a backup product can give you a point-in-time copy of the active directory such that the synchronization process only has to catch-up from a time in the recent past. The time to restore from a tape can be much quicker then doing a synchronization from ground-zero. - Jim J.P. (Jim) Smith TSM Client Development Here's an interesting question: why would you want to backup a DC, especially where you have a DC (W2K) or two in every remote site of the WAN? Why/what would you ever restore that you wouldn't get from the other domain controllers if one or even a few are down? I ask this because my theory is when in doubt, backup it up. At a couple hundred dollars a license it seems a reasonable assurance policy (depending on the budget, of course). Another theory applies here as well, backup everything, exclude only as needed, even if that client options set gets pretty big. Jon R. Adams IT IPS BST Infrastructure Premera Blue Cross Mountlake Terrace, WA 425-670-5770 [EMAIL PROTECTED]
Re: Backup a W2K Domain Controller?
Tony, Some clarification: the restore of the Active Directory has two distinct pieces. The backup product puts the files (db, logs, etc.) back into the proper location and then the system, upon reboot, replays the logs and synchronizes the AD with the organization. This synchronization is by default non-authoritative, i.e., what is restored gets synchronized by catching-up to the rest of the organization. Some of the cases that you list imply an authoritative restore, i.e., the rest of the organization needs to synch-up to what has been restored. Microsoft does not give backup vendors the ability to mark the AD restore as authoritative. To do this, you will need to use the tool ntdsutil.exe which is shipped with Windows 2000 servers. This allows you to mark an object, container, section or entire AD as authoritative. Generally, the procedure is: 1. restore the system following the procedures in the Redbook (see my previous post) 2. reboot into Directory Services Restore Mode 3. use ntdsutil.exe to mark the restore as authoritative 4. reboot again. Since ntdsutil.exe is Microsoft's tool, you might need to have MS support stand by TSM support until any issues are resolved. Thanks, Jim Smith TSM b-a client development Given the Examples of backup reasons below: Has any one every had a AD corruption that that used TSM to recover from after the GC's have already replicated that corrupted data out? If so, did TSM support stand by them all the way until the issue was resolved?? We are sort of leery about using TSM so the simple reason that they always say We do not support BMR and on a DC with AD this is critical. Any help would be great 1.) Botched Schema update 2.) Accidental deletion of OU (or any other object) 3.) Database corruption (AD Corruption) 4.) System State. 5.) Accidentally deletion of a DNS zone 6.) Some DC's are also File/Print servers, DHCP, etc. *** Some of these scenarios would require an authoritative restore or a complete rebuild of the Active Directory, as some changes are replicated immediately. -Original Message- From: Jon Adams [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 1:09 AM To: [EMAIL PROTECTED] Subject: Re: Backup a W2K Domain Controller? Thank you Jim. I will add this to the followong reasons I just learned a few moments ago: Botched Schema update Accidental deletion of OU (or any other object) Database corruption System State Accidentally deletion of a DNS zone Some DC's are also File/Print servers, DHCP, etc. Some of these scenarios would require an authoritative restore or a complete rebuild of the Active Directory, as some changes are replicated immediately. ...and as you mentioned Jim, time to synch. verses restore. -Original Message- From: Jim Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 10, 2002 5:57 PM To: [EMAIL PROTECTED] Subject: Re: Backup a W2K Domain Controller? Jon, I'm sure there are a number of pros and cons and I'll let others chime in ... one advantage of having a backup of the Active Directory on a given DC is time to recovery. While you can bring an active directory back by simply installing it and letting it synchronize to catch-up to the rest of the organization, this synchronization can take quite a long time depending on the size of the directory. In this case, a backup product can give you a point-in-time copy of the active directory such that the synchronization process only has to catch-up from a time in the recent past. The time to restore from a tape can be much quicker then doing a synchronization from ground-zero. - Jim J.P. (Jim) Smith TSM Client Development Here's an interesting question: why would you want to backup a DC, especially where you have a DC (W2K) or two in every remote site of the WAN? Why/what would you ever restore that you wouldn't get from the other domain controllers if one or even a few are down? I ask this because my theory is when in doubt, backup it up. At a couple hundred dollars a license it seems a reasonable assurance policy (depending on the budget, of course). Another theory applies here as well, backup everything, exclude only as needed, even if that client options set gets pretty big. Jon R. Adams IT IPS BST Infrastructure Premera Blue Cross Mountlake Terrace, WA 425-670-5770 [EMAIL PROTECTED]
Re: Backup a W2K Domain Controller?
First off, most people (when dealing with TSM) define a Bare Metal Restore as starting off with a clean h/w system (no data, os), then install OS, install TSM client, restore your data. The issues listed below may not require a BMR. 1. Botched Schema update - MS says you cannot authoritatively restore the schema so don't expect TSM to help you. 2. Accidental deletion of OU - just use directory service restore mode - don't need BMR. 3. Database corruption - if you can still boot into ds restore mode (which doesn't use AD) you can use this to restore AD. 4. System state - no requirement for BMR. 5. Accidental deletion of DNS zone, if AD integrated I believe this is similar to 2. If not integrated you simply restore your DNS zone file. 6. File print servers etc no issue here - as long as your server and tsm is operational you can restore. I really wish TSM would support a true bare metal restore function - boot from floppy restore system (they say buy TKG's product). I'm pretty sure Tivoli will support any of the issues above with TSM (except the schema!). You really have to test these out and understand all the issues. Tim Rushforth City of Winnipeg -Original Message- From: Consiglio, Tony [mailto:[EMAIL PROTECTED]] Sent: July 12, 2002 11:37 AM To: [EMAIL PROTECTED] Subject: Re: Backup a W2K Domain Controller? Given the Examples of backup reasons below: Has any one every had a AD corruption that that used TSM to recover from after the GC's have already replicated that corrupted data out? If so, did TSM support stand by them all the way until the issue was resolved?? We are sort of leery about using TSM so the simple reason that they always say We do not support BMR and on a DC with AD this is critical. Any help would be great 1.) Botched Schema update 2.) Accidental deletion of OU (or any other object) 3.) Database corruption (AD Corruption) 4.) System State. 5.) Accidentally deletion of a DNS zone 6.) Some DC's are also File/Print servers, DHCP, etc. *** Some of these scenarios would require an authoritative restore or a complete rebuild of the Active Directory, as some changes are replicated immediately.
Re: Backup a W2K Domain Controller?
Thank you Jim. I will add this to the followong reasons I just learned a few moments ago: Botched Schema update Accidental deletion of OU (or any other object) Database corruption System State Accidentally deletion of a DNS zone Some DC's are also File/Print servers, DHCP, etc. Some of these scenarios would require an authoritative restore or a complete rebuild of the Active Directory, as some changes are replicated immediately. ...and as you mentioned Jim, time to synch. verses restore. -Original Message- From: Jim Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 10, 2002 5:57 PM To: [EMAIL PROTECTED] Subject: Re: Backup a W2K Domain Controller? Jon, I'm sure there are a number of pros and cons and I'll let others chime in ... one advantage of having a backup of the Active Directory on a given DC is time to recovery. While you can bring an active directory back by simply installing it and letting it synchronize to catch-up to the rest of the organization, this synchronization can take quite a long time depending on the size of the directory. In this case, a backup product can give you a point-in-time copy of the active directory such that the synchronization process only has to catch-up from a time in the recent past. The time to restore from a tape can be much quicker then doing a synchronization from ground-zero. - Jim J.P. (Jim) Smith TSM Client Development Here's an interesting question: why would you want to backup a DC, especially where you have a DC (W2K) or two in every remote site of the WAN? Why/what would you ever restore that you wouldn't get from the other domain controllers if one or even a few are down? I ask this because my theory is when in doubt, backup it up. At a couple hundred dollars a license it seems a reasonable assurance policy (depending on the budget, of course). Another theory applies here as well, backup everything, exclude only as needed, even if that client options set gets pretty big. Jon R. Adams IT IPS BST Infrastructure Premera Blue Cross Mountlake Terrace, WA 425-670-5770 [EMAIL PROTECTED]
Backup a W2K Domain Controller?
Here's an interesting question: why would you want to backup a DC, especially where you have a DC (W2K) or two in every remote site of the WAN? Why/what would you ever restore that you wouldn't get from the other domain controllers if one or even a few are down? I ask this because my theory is when in doubt, backup it up. At a couple hundred dollars a license it seems a reasonable assurance policy (depending on the budget, of course). Another theory applies here as well, backup everything, exclude only as needed, even if that client options set gets pretty big. Jon R. Adams IT IPS BST Infrastructure Premera Blue Cross Mountlake Terrace, WA 425-670-5770 [EMAIL PROTECTED]
Re: Backup a W2K Domain Controller?
Jon, I'm sure there are a number of pros and cons and I'll let others chime in ... one advantage of having a backup of the Active Directory on a given DC is time to recovery. While you can bring an active directory back by simply installing it and letting it synchronize to catch-up to the rest of the organization, this synchronization can take quite a long time depending on the size of the directory. In this case, a backup product can give you a point-in-time copy of the active directory such that the synchronization process only has to catch-up from a time in the recent past. The time to restore from a tape can be much quicker then doing a synchronization from ground-zero. - Jim J.P. (Jim) Smith TSM Client Development Here's an interesting question: why would you want to backup a DC, especially where you have a DC (W2K) or two in every remote site of the WAN? Why/what would you ever restore that you wouldn't get from the other domain controllers if one or even a few are down? I ask this because my theory is when in doubt, backup it up. At a couple hundred dollars a license it seems a reasonable assurance policy (depending on the budget, of course). Another theory applies here as well, backup everything, exclude only as needed, even if that client options set gets pretty big. Jon R. Adams IT IPS BST Infrastructure Premera Blue Cross Mountlake Terrace, WA 425-670-5770 [EMAIL PROTECTED]
