Re: AD Disaster Recovery
From: Bob Christian (BobChristian_at_removethis.gmail.com)
Date: 09/01/04
- Next message: Bob Christian: "Re: domain policy propagation"
- Previous message: Burtsev Dmitry: "Re: Folder share with disk quota using commands."
- In reply to: Greg Wright: "AD Disaster Recovery"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 1 Sep 2004 01:46:45 -0500
I know you are frustrated. We all would be if we were in the same shoes.
Though I am not familiar with your specific errors or issues, I felt like
spending a few minutes typing a reply based on some experience I had with
some clients. It's a bit late and I am sorry for any gaps in my grammar.
I have performed similar testing for three clients in two test
methodologies/software. Two were single forests with a forest root domain
and a child domain. One was a single forest root domain only. One of the
clients performed a full restore test of well over 100,000 user accounts,
groups, and computers.
1) Windows and images
2) Veritas NetBackup
Myself and another engineer started a test for a client, but I left for
another client. We tested using CommVault and using Legato. In both cases
CommVault and Legato professional services stood it up as we were testing
more than AD. The AD backups worked fine...and then I left.
Another method a client used for backup/restore was to locate an AD
domain controller off-site. In a test lab, simulating the catastrophic loss
of HQ, this worked pretty well. We had some problems with e-mail, but our
messaging team worked that out in a day.
All of the testing below was performed in a lab environment. The software
was Windows 2000 and Windows 2003. The last test I performed was about 1
year ago. Most of the information is what I remembered from the testing.
1)
As for the rebuild...Ghost image (sysprepped) on a bootable DVD has worked
like a champ to get the OS restored and running quickly. The name and
information on the system was the same.
I ran the NT Backup restore and boot into DS Restore mode. I ran ntdsutil
and performed a non-authoritative restore. There was additional work in
seizing FSMO roles.
With NT Backup:
The best thing I have found is to utilize identical hardware, which you have
done. It kind of makes sense since restoring the System State restores
registry settings and you can't choose to restore the individual system
state components.
2) Veritas NetBackup...
Bare metal restore...worked quite well.
Restore of individual system state components (AD, Sysvol, etc) for a
authoritative restore of single objects (users, groups, and even a DNS
zone)...worked like a champ.
In all cases we were restoring to like hardware on network segments with the
same IP configuration. In one set of test cases (the authoritative restore
test for accidental deletion of a user, group, or ADI DNS zone),
Most of the backups were performed from the domain's PDC emulators, which
were also GCs. We also backed up the Schema/Domain Naming master, which was
also a GC.
We did have to seize two of the FSMO roles (RID and Infra) at the domain
level and we seized one of the FSMO roles (Schema) at the forest level as a
test.
For one client, the largest one, it was a solid week of testing, a week of
documentation, and a week of QA. We learned a lot and were able to
communicate a lot to our client.
My suggestion would be to enlist the assistance of someone like MSCS or a
Gold partner.
Bob
"Greg Wright" <wrightg@bcrail.DONOTSPAM.com> wrote in message
news:%23rt$4i2jEHA.396@TK2MSFTNGP12.phx.gbl...
> We are in the process of setting up a disaster recovery site 3000 miles
> away. So in preparation, I have been trying to set up instructions and
> scripts to recovery our AD Domain controllers.
>
> So far all attempts have resulted in abject failure !!
>
> We need to recovery our AD controllers from backup tapes which we store
> offsite. The recovery hardware will be identical to the current
> hardware. The AD controllers are also our DNS servers, DHCP server,
> WINS server and Certifcate Server. AD is spread across two mirrored
> drives (c:\ and d:\).
>
> I've looked high and low on the MS website for explicit instructions to
> enable me to get my AD controllers back to EXACTLY the same condition
> they were in at the time of the backup, but up to now I have not yet
> been able to actually recover a server. I have been working on this
> non-stop for the past 6 weeks. I cannot believe that this has not been
> done before ! Any help would be appreciated.
>
> What I have tried up to now includes:
>
> Install basic Windows 2000 SP4 from CD (SP slipstreamed onto CD)
> Format D:\ drive
> Copy backup file of C:\, D:\ and System State down to D:\ drive
> Run Windows Backup in recovery mode
> Select .bkf file from D:\ drive
> restore C:\, D:\ and System State
> reboot
>
> When the system finishes rebooting, you would think that it would be the
> same as when it was backed up, but AD never starts correctly. I have
> tried various scenarios of the above instructions, all to no avail. I
> have restored in SAFE mode, I have restores just the System State, I
> have tried every combination and permutation that I can possibly image.
> I have even called Microsoft (and that's another story altogether !!),
> and nothing I do can get my AD recovered.
>
> I need to be able to restore my system to the point it was in when the
> last backup was created. Nothing that should be difficult, but I cannot
> get it to work.
>
> Any ideas or detailed steps in how to recover an AD server would be
> appreciated.
>
> Greg Wright
> BC Rail
- Next message: Bob Christian: "Re: domain policy propagation"
- Previous message: Burtsev Dmitry: "Re: Folder share with disk quota using commands."
- In reply to: Greg Wright: "AD Disaster Recovery"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
