backup&restore 2003
TRANSCRIPT
-
7/31/2019 Backup&Restore 2003
1/3
Backing up Active Directory is essential to maintain the proper health of the Active Directory database. You can backupActive Directory by using the NTBACKUP tool that comes built-in with Windows Server 2003, or use any 3rd-party tool thatsupports this feature. Backing up the Active Directory is done on one or more of your Active Directory domain Controllers(or DCs), and is performed by backing up the System State on those servers. The System State contains the local Registry,COM+ Class Registration Database, the System Boot Files, certificates from Certificate Server (if its installed), Cluster
database (if its installed), NTDS.DIT, and the SYSVOL folder.
To ensure your ability to actually use this backup, you must be aware of the tombstone lifetime. By default, the tombstoneis 60 days (for Windows 2000/2003 DCs), or 180 days (for Active Directory based upon Windows Server 2003 SP1 DCs).
: Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of adisconnected DC beyond the time when the object is permanently deleted from online DCs. The tombstone lifetime is notchanged automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetimemanually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstonelifetime of 180 days. Read my "Changing the Tombstone Lifetime Attribute in Active Directory" article for more info on that.
Any backup older than 60/180 days is not a good backup and cannot be used to restore any DC. You do not need to backupall your DCs' System States, usually backing up the first DC in the Forest + the first DCs in each domain is enough for mostscenarios.
You need a current, verified, and reliable backup to:
Restore Active Directory data that becomes lost. By using an authoritative restore process, you can restore
individual objects or sets of objects (containers or directory partitions) from their deleted state. Read my"Recovering Deleted Items in Active Directory" article for more info on that.
Recover a DC that cannot start up or operate normally because of software failure or hardware failure.
Install Active Directory from backup media (using the command). Read my "Install DC from Media
in Windows Server 2003" article for more info on that.
Perform a forest recovery if forest-wide failure occurs.
All these are reasons to have good working and reliable backups.
: One of the Active Directory features that was introduced in Windows Server 2003 with Service Pack 1 was theDirectory Service Backup Reminders. With this reminder, a new event message, event ID 2089, provides the backup statusof each directory partition that a domain controller stores. This includes application directory partitions and Active Directory
Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not been backed up, thisevent is logged in the Directory Service event log and continues daily until the partition is backed up.
In the Windows Server 2003 family, you can restore the Active Directory database if it becomes corrupted or is destroyed
because of hardware or software failures. You must restore the Active Directory database when objects in Active Directoryare changed or deleted.
: There is an option to restore Active Directory objects that have been deleted and are now in a phase called"tombstone". These items are hidden from the GUI and await their cleanup by a process called "garbage collection". Readmore about it on my "Recovering Deleted Items in Active Directory" article.
: Primary Restore,Normal Restore (i.e. Non Authoritative), and Authoritative Restore.
http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htmhttp://www.petri.co.il/recovering-deleted-items-active-directory.htmhttp://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htmhttp://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htmhttp://www.petri.co.il/recovering-deleted-items-active-directory.htmhttp://www.petri.co.il/recovering-deleted-items-active-directory.htmhttp://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htmhttp://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htmhttp://www.petri.co.il/recovering-deleted-items-active-directory.htmhttp://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm -
7/31/2019 Backup&Restore 2003
2/3
This method rebuilds the first domain controller in a domain when there is no other way to rebuild thedomain. Perform a primary restore only when all the domain controllers in the domain are lost, and you want to rebuild thedomain from the backup. Members of the Administrators group can perform the primary restore on local computer. On adomain controller, only members of the Domain Admins group can perform this restore. This method reinstates the Active Directory data to the state before the backup, and then updatesthe data through the normal replication process. Perform a normal restore for a single domain controller to a previouslyknown good state.
You perform this method in tandem with a normal restore. An authoritative restore marksspecific data as current and prevents the replication from overwriting that data. The authoritative data is then replicatedthrough the domain. Perform an authoritative restore for individual object in a domain that has multiple domain controllers.When you perform an authoritative restore, you lose all changes to the restore object that occurred after the backup. Youneed to use the NTDSUTIL command line utility to perform an authoritative restore. You need to use it in order to mark
Active Directory objects as authoritative, so that they receive a higher version recently changed data on other domaincontrollers does not overwrite System State data during replication.
For example, if you inadvertently delete or modify objects in Active Directory, and those objects were thereafter replicated toother DCs, you will need to authoritatively restore those objects so they are replicated or distributed to the other servers. Ifyou do not authoritatively restore the objects, they will never get replicated or distributed to your other servers because theywill appear to be older than the objects currently on your other DCs. Using the NTDSUTIL utility to mark objects forauthoritative restore ensures that the data you want to restore gets replicated or distributed throughout your organization.
You cant restore Active Directory (AD) to a domain controller (DC) while the Directory Service (DS) is running. To restoreAD, perform the following steps.
1. Reboot the computer.
2. press F8 for advanced options. Youll see the following text.
3. Scroll down, and select Directory Services Restore Mode (Windows domain controllers only).
4. Press Enter.
5. When you return to the Server boot menu, press Enter. At the bottom of the screen, youll see in red
text Directory Services Restore Mode (Windows domain controllers only).
-
7/31/2019 Backup&Restore 2003
3/3
The computer will boot into a special safe mode and wont start the DS. Be aware that during this time the machine wontact as a DC and wont perform functions such as authentication.
1. Start Backup. select advanced mode
2. Select the Restore tab.3. Select the backup media, and select System State.4. Click Start Restore.
5. Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to use the restored information. The computermight hang after the restore completes; Ive experienced a 30-minute wait on some machines.