Networker

Re: [Networker] recommended best practices for backup & recovery of MS ADDS with NMM

2012-03-09 15:27:52
Subject: Re: [Networker] recommended best practices for backup & recovery of MS ADDS with NMM
From: Michael Leone <Michael.Leone AT PHA.PHILA DOT GOV>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Fri, 9 Mar 2012 15:27:44 -0500
> We're long-time NetWorker users, but we're brand new to NMM and we're
> really having trouble coalescing all of the documentation into an
> understanding of how we *should* be backing up and preparing to recover
> Microsoft Active Directory Domain Services (ADDS, n?e AD).  We're hoping
> that some of you can help with some recommendations and best practices.

AD. More rarely, ADS. I've never seen a Windows guy call it ADDS ...

> We also have the "recycle bin" turned on which should help for most of
> the human error scenarios, such as someone accidentally deleting a user
> or a group.

That's only applicable if the person is actually logged onto the server; 
if you're accessing a share, and you delete a file, you're out of luck - 
there is no network-level recycle bin, like there is (or was) in Netware.

> 
> So, how do we go about being prepared for all of the following 
scenarios:
> 
>    * Hardware failure resulting in OS needing to be reinstalled
>    * Hardware failure causing primary domain controller to need AD
>      restored (other two domain controllers are fine)

What I would do? Seize the AD FSMO roles from one of the remaining Dcs 
(domain controllers), manually clean out the references to the failed 
server using NTDSUTIL, and then reinstall the OS and re-join to the 
domain. 

If you were to do a complete recover of a DC using Networker, you might 
have to do something like "declare a new epoch" in AD, if the internal 
timestamps go too far out of whack, or something even more terrifying ...

You really need somebody with Windows and AD experience to help you plan 
on this ... if you have DCs in other sites, then any of those can "seize" 
the FSMO roles, and become authorative for the domain. You still have to 
clean out the references to the failed server from AD, of course. I've 
done that a couple times, when recreating our domain as a private AD in 
Vmware, for testing purposes. I probably still have notes somewhere, if 
you like ...

Losing ALL your DCs is catastrophe. :-) But you can recover from it, but 
it's complicated.

 

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the body of the email. Please write to 
networker-request AT listserv.temple DOT edu if you have any problems with this 
list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

<Prev in Thread] Current Thread [Next in Thread>