I didn't see a response to this so....
A nearly identical copy of AD is kept on every single domain controller in
a given domain. I say nearly, because there usually is a lag for
replication. When a backup is run on any of these machines using either
the "All" or "SYSTEM_STATE" (may not be exact name) saveset, the entire
contents of AD is also backed up. That being said, you should backup more
than just one domain controller. You should also backup any domain
controllers that hold one of the FSMO roles. It's not strictly necessary
to back them all up, but in a DR scenario it will make life easier.
Where I belive your coworkers may be confused is on restoring either part
or all of AD. Bear with me while I give you/the List some background...
AD uses something called a USN (Universal Sequence Number) when creating
and modifying objects (users, computers, OUs, etc.) in the directory. This
USN is basically a counter. When an object is created, a USN is assigned
(it's hidden, this is not the SID). The DC where the object was created
replicates the object to the other DC's in the domain. When that object
is modified (Sue Smith gets married and becomes Sue Jones; Freddy is added
to a new group, etc.), the USN is incremented. When the next replication
occurs, the DC where the change was made has a higher USN than the other
DCs. They see this and say, "Oh, he has a newer version than me, I need
the newer one" and the change is replicated to all DC's.
The USN is what causes a problem with restores. Let's say a script runs
and deletes 1000 active user accounts. In order to restore these
accounts, you must do an authoritative restore of AD. The authoritative
restore is what requires you to shutdown Windows, boot into a special
mode, and use MS tools to recover the objects. However, this is *after*
you've recovered AD from tape to an isolated domain controller. This
special recovery is required because as soon as that recovered DC comes
up, it's going to see that the USNs of its objects are all lower than the
USNs of the same objects on the other domain controllers. It says, "All
my stuff is out of date, let me get the new stuff." and your AD restore
was just over written by the active data. This restore method would
normally be used to restore individual objects or the entire AD in a DR
scenario (build a new domain, perform an authoritative restore from tape
to overwrite all the existing info).
You would not use an authoritative restore to recover an individual DC
that has failed for some reason (unless it's your only DC). In this case,
you would just repair the system, reinstall the OS if necessary (i.e.
maybe it was a worm or virus you want to be 100% sure is gone), and run
dcpromo to turn the machine back into a DC. It will get the most current
information from the other DCs in the domain.
Hope that helps...
Jeff Mery - MCSE, MCP
National Instruments
-------------------------------------------------------------------------
"Allow me to extol the virtues of the Net Fairy, and of all the fantastic
dorks that make the nice packets go from here to there. Amen."
TB - Penny Arcade
-------------------------------------------------------------------------
Craig Ruefenacht <craig.ruefenacht AT US.USANA DOT COM>
Sent by: Legato NetWorker discussion <NETWORKER AT LISTSERV.TEMPLE DOT EDU>
07/27/2005 04:04 PM
Please respond to
Legato NetWorker discussion <NETWORKER AT LISTSERV.TEMPLE DOT EDU>; Please
respond to
Craig Ruefenacht <craig.ruefenacht AT US.USANA DOT COM>
To
NETWORKER AT LISTSERV.TEMPLE DOT EDU
cc
Subject
[Networker] Active Directory
Hi,
I know this topic has been discussed several times on this list, and
I've even asked this question before as part of a broader email.
However, I was told again today by a couple of people who have gone to
active directory training that doing a backup of active directory is not
as simple as it sounds.
>>From what I was told by people on this list earlier (mostly in personal
responses), to backup active directory, if you specify "All" as the
saveset for a Networker client which also happens to be the active
directory master, that active directory will get backed up (via the
SYSTEM STATE or other similar saveset).
I've had people who have been to some active directory training tell me
that the only way to back up active directory is to boot the machine up
with active directory disabled and use Microsoft tools to back it up. I
know thats how you have to recover active directory.
This is with Networker 7.1.3 (both server and client).
I don't have the resources to test a recover of our active directory
right now to answer my own question.
--
Craig Ruefenacht
UNIX Systems Administrator
USANA Health Sciences
http://www.usana.com
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listserv.temple DOT edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
also view and post messages to the list. Questions regarding this list
should be sent to stan AT temple DOT edu
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listserv.temple DOT edu or visit the list's Web site at
http://listserv.temple.edu/archives/networker.html where you can
also view and post messages to the list. Questions regarding this list
should be sent to stan AT temple DOT edu
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
|
