[Networker] recommended best practices for backup & recovery of MS ADDS

All-

We're long-time NetWorker users, but we're brand new to NMM and we're
really having trouble coalescing all of the documentation into an
understanding of how we *should* be backing up and preparing to recover
Microsoft Active Directory Domain Services (ADDS, n?e AD).  We're hoping
that some of you can help with some recommendations and best practices.

Not certain if I'll be able to avoid a tl;dr post, but I'll try.

Information about the NetWorker server and the three domain controllers
involved is near the end of this email.

The basic question we have is "how *should* we be conducting AD(DS)
backups"?  Keep in mind that we have three domain controllers, one of
them is located in a datacenter that is a couple miles from our primary
datacenter.  That should help with a single-datacenter event, but not
some regional disaster (like flooding, which this region is very prone
to).

We also have the "recycle bin" turned on which should help for most of
the human error scenarios, such as someone accidentally deleting a user
or a group.

Before the advent of AD and NMM in our environment, we never worried about
bare-metal recovery for our Windows systems -- our plan was always to make
sure the data was backed up, but to expect to have to reinstall the OS and
applications, either on the same hardware or potentially on upgraded or
new hardware, before beginning with the data recovery.

With AD, we need to be able to recover from a disaster, whether its on
the same hardware or different/new hardware for the domain controller(s).
The documentation for "Active Directory Disaster Recovery" seems to assume
that we'll be using the DISASTER_RECOVERY saveset and doing a bare-metal
recovery, but this isn't supported if the restore is on different hardware
or a new installation of Windows 2008 R2.

So, how do we go about being prepared for all of the following scenarios:

  * Hardware failure resulting in OS needing to be reinstalled
  * Hardware failure causing primary domain controller to need AD
    restored (other two domain controllers are fine)
  * OS failure resulting in OS reinstall on same hardware





NetWorker Server:
=================

OS: Linux RHEL 6.2
NetWorker: NetWorker 7.6.2.5
Notes: multi-homed with presences on our datacenter subnet
(fqdn: nsrserv1.nodak.edu) and our secondary "backup" network
(fqdn: nsrserv1-s.nodak.edu).

Domain Controller Client #1:
============================
OS software       : Windows 2008 R2 SP1
NetWorker software: NetWorker 7.6.2.5, NMM v2.5.1_NMM2.3_drop11c.Build.36
Notes             : external fqdn on datacenter subnet is adserv1.ndsu.edu,
  external fqdn for secondary "backup" subnet is adserv1-s.ndsu.edu.  The
  special DNS subnet "ad.ndsu.edu" is also delegated to the AD servers, so
  it believes its fqdn is "adserv1.ad.ndsu.edu" and backup-network fqdn
  is "adserv1-s.ad.ndsu.edu".  The computer name is just "adserv1".

Domain Controller Client #2:
============================
OS software       : Windows 2008 R2 SP1
NetWorker software: NetWorker 7.6.2.5, NMM v2.5.1_NMM2.3_drop11c.Build.36
Notes             : external fqdn on datacenter subnet is adserv2.ndsu.edu,
  external fqdn for secondary "backup" subnet is adserv2-s.ndsu.edu.  The
  special DNS subnet "ad.ndsu.edu" is also delegated to the AD servers, so
  it believes its fqdn is "adserv2.ad.ndsu.edu" and backup-network fqdn is
  "adserv2-s.ad.ndsu.edu".  The computer name is just "adserv2".

Domain Controller Client #3:
============================
OS software       : Windows 2008 R2 SP1
NetWorker software: NetWorker 7.6.2.5, NMM v2.5.1_NMM2.3_drop11c.Build.36
Notes             : external fqdn on datacenter subnet is adserv3.ndsu.edu,
 external fqdn for secondary "backup" subnet is adserv3-s.ndsu.edu.  The
 special DNS subnet "ad.ndsu.edu" is also delegated to the AD servers, so
 it believes its fqdn is "adserv3.ad.ndsu.edu" and backup-network fqdn
 is "adserv3-s.ad.ndsu.edu".  The computer name is just "adserv3".

  NOTE: this server is located in a separate datacenter a couple miles from
  our primary datacenter.

All three of the backup clients have been configured in NetWorker with:

Client name            : adserv1-s.ndsu.edu (or adserv{2,3}-s.ndsu.edu)
Save set               : C:\, SYSTEM COMPONENTS:\
Backup command         : nsrsnap_vss_save.exe
Application Information: NSR_SNAP_TYPE=vss
Aliases                : adserv1, adserv1-s, adserv1.ad.ndsu.edu,
                         adserv1-s.ad.ndsu.edu (number changes for DCs 2 & 3)

Snapshot Policy
Number of Snapshots    : 1
Retain                 : 0
Snapshot Expiration    : Day
Backup Snapshots       : All



Any help or recommendations anyone could provide would be greatly
appreciated.

Thanks,

Tim
--
Tim Mooney                                             Tim.Mooney AT ndsu DOT 
edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, IACC Building                             701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

To sign off this list, send email to listserv AT listserv.temple DOT edu and type 
"signoff networker" in the body of the email. Please write to networker-request 
AT listserv.temple DOT edu if you have any problems with this list. You can access the 
archives at http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
[Networker] recommended best practices for backup & recovery of MS ADDS with NMM
