tsm ad restore

IBM Software Services for Tivoli

IBM Tivoli Support Technical Exchange Web Seminar:Restoring Windows Active Directory

using Tivoli Storage Manager

2007-06-13

2IBM Software Services for Tivoli

Agenda:

• Introduction•Objectives•Where to Find More Information•Presentation

• Backup requirements in order to restore Active Directory• Restoring a corrupt or deleted Active Directory• Restoring a single domain controller (first domain controller)• Restoring a single domain controller (active directory operational)• Restoring an entire domain and forest• Basic troubleshooting

•Q&A


Introduction:

This Tivoli Support Technical Exchange web seminar will cover how to restore Active Directory on Windows 2003 Servers using Tivoli Storage Manager.


Objectives:

Upon completion of this Tivoli Support Technical Exchange web seminar, you will be able to:

•Restore Active Directory•Restore Domain Controllers•Troubleshoot problems during restore


Where to Find More Information:

•Here is a list of references that were used to make this presentation and are useful both for recovering Active Directory and for TSM Client usage in general:

• Help in TSM Client (F1 or help command)• IBM Tivoli Storage Manager Product support page• IBM Tivoli Storage Manager for Windows Backup-Archive Clients Installati

on and User's Guide• IBM Tivoli Storage Manager Problem Determination Guide• Redbooks for IBM Tivoli Storage Manager• IBM Tivoli Storage Manager Information Center• Microsoft TechNet - Administering Active Directory Backup and Restore• Microsoft Support• Where to go to open a PMR online if necessary• Where to go to open a PMR by phone if necessary


Restoring Active Directory

A few key points before we begin.•Throughout the presentation, focus will be put on restoring the Active Directory on Windows Server 2003

•The TSM Clients versions currently supported at the time of this presentation are 5.3 and 5.4

•All the examples used in this presentation are with the TSM Client 5.4


Backup requirements in order to restore Active Directory

•This section will cover the backup requirements for a successful restore of the Windows Active Directory. The key to a successful restore is to have a successful backup.


Backup requirements in order to successfully restore Active Directory

•The single most important requirement for a successful restore of Active Directory is a good backup which is a recent backup completed without errors.

•The Active Directory is part of the System State backup, therefore a good backup of System State is required

• In the event where the operating system has to be reinstalled, a good backup of the system drive, typically C:\ as well as System Services is also required.

•By default, the TSM Client is set to backup all local domains which include: System State, System Services and all local disks.

•Therefore, a TSM incremental backup will capture all the necessary objects required to restore the Active Directory or Domain Controller


Backup requirements in order to successfully restore Active Directory (continued)

• If performing manual backups, it is important to review the screen output to ensure a successful backup.

• If performing scheduled backups, it is important to review the TSM Scheduler Log (dsmsched.log) to ensure a successful backup.

• If any errors are encountered during the backup, the TSM Error Log (dsmerror.log) may contain additional information regarding the problem which should be investigated.

•A successful backup will report the following in dsmsched.log and on screen with a command line backup:

• 06/13/2007 11:00:00 Successful incremental backup of '\\computername\c$' • 06/13/2007 11:00:00 Successful incremental backup of 'System State'• 06/13/2007 11:00:00 Successful incremental backup of 'System Services'


Backup requirements in order to successfully restore Active Directory (continued)

•A number of fixes have recently been introduced in the TSM client which impact the success of complete system backups and restores.

•TSM client level 5.4.0 or newer is recommended for performing system backups and restores.

•Since Windows Server 2003 has been released, Microsoft also introduced a number of fixes included in Service Packs and Hot Fixes which can impact the ability to successfully backup and restore a system.

• It is recommended to be current with both the TSM Client and Windows Service Packs / Hot Fixes to avoid running into known problems which can impact your ability to successfully backup and restore your system.


Restoring a corrupt or deleted Active Directory

•This section will cover how to recover a deleted or corrupt Active Directory.


Restoring a corrupt or deleted Active Directory•There may be some requirements to restore only the Active Directory.

•TSM does not support restoring only the Active Directory or only certain components of Active Directory.

•The Active Directory is part of the System State backup and therefore System State has to be restored in order to restore the Active Directory.

• If restoring System State while the Active Directory is online, it will be necessary to reboot in Directory Services Restore Mode (DSRM).

• It is possible to restore only the NTDS or SYSVOL to an alternate location for manipulation with Microsoft utilities to recover from those restored files.

•Here is two example of commands you could use:• dsmc rest "{SYSTEM STATE}\WINDOWS\NTDS\*" c:\ntdsrest\ -sub=yes• dsmc rest "{SYSTEM STATE}\WINDOWS\SYSVOL\*" c:\svolrest\ -sub=yes


•Microsoft does provide very good documentation on various scenarios of recovery of the active directory.

•This guide in particular found on TechNet provides detailed instructions:

• http://technet2.microsoft.com/windowsserver/en/library/f66ee9e4-96d7-4f74-a2fe-d669194bf5a21033.mspx?mfr=true

• In scenarios where it is not desired or required to restore the entire operating system, this Microsoft guide can assist you with their utilities to recover your Active Directory.

•Since this guide treats Microsoft utilities such as NTDSUTIL and REPADMIN, we will not cover them in this presentation as our main focus is how you can use TSM.

• In most cases, Microsoft starts by restoring System State, which can easily be done with TSM. Microsoft's utilities and instructions can then be used to obtain the desired results.

Restoring a corrupt or deleted Active Directory (continued)


Restoring a single domain controller (first domain controller)

•This section will cover how to restore a Domain Controller when no other Domain Controllers are available.


Restoring a single domain controller (first domain controller)•An authoritative restore is required when restoring the only, or in the case of disaster recovery, when restoring the first of a series of domain controllers.

• In an authoritative restore, the FRSPRIMARYRESTORE option is used which will cause TSM to restore SYSVOL.

•The first step will be to install Windows 2003 Server on the machine in the same directory as on the original machine C:\Winnt or C:\Windows

•Apply the same Service Pack level as was originally on this machine.

•Do not promote this machine to a Domain Controller. The server will automatically become a domain controller after restore of the system objects is complete.


•Once Windows is installed, install the TSM Client and configure the dsm.opt to connect to your TSM Server.

• If running the TSM Client older than 5.3.4, you will need to restore the File Protection Catalog first.

• dsmc restore "{SYSTEM STATE}\windows\system32\catroot\*“ %systemroot%\system32\ -sub=yes -rep=all

• It is required to restore the following objects:• dsmc restore c:\* -subdir=yes –replace=all• dsmc restore systemstate –frsprimaryrestore=yes• dsmc restore systemservices

•When the server is rebooted, the Active Directory and File Replication Services will start.

•Because the FRSPRIMARYRESTORE option was used, the SYSVOL share will be created and available.

Restoring a single domain controller (first domain controller) (continued)


Restoring a single domain controller (active directory functional)

•This section will cover how to recover a Domain Controller while Active Directory is still functional on other Domain Controllers and Replicating Partners.


Restoring a single domain controller (active directory functional) (continued)• In most cases, a single domain controller will need to be restored while the Active Directory remains operational on other domain controllers in the domain.

•This type of restore is very simple as it is not different than restoring a standalone Windows 2003 Server.

•The FRSPRIMARYRESTORE option is not used, which means that SYSVOL will not get restored, but will get replicated by the File Replication Service

•The first step will be to install Windows 2003 Server on the machine in the same directory as on the original machine C:\Winnt or C:\Windows

•Apply the same Service Pack level as was originally on this machine.

•Do not promote this machine to a Domain Controller. The server will automatically become a domain controller after restore of the system objects is complete.


Restoring a single domain controller (active directory functional) (continued)•Once Windows is installed, install the TSM Client and configure the dsm.opt to connect to your TSM Server.

• If running the TSM Client older than 5.3.4, you will need to restore the File Protection Catalog first:

• dsmc restore "{SYSTEM STATE}\windows\system32\catroot\*“ %systemroot%\system32\ -sub=yes -rep=all

•You can now proceed to restore the following:• dsmc restore c:\* -subdir=yes –replace=all• dsmc restore systemstate• dsmc restore systemservices

•When the server is rebooted, the Active Directory and File Replication Services will start.


Restoring a single domain controller (active directory functional) (continued)•The newly restored Domain Controller will receive all the new entries that occurred between the time of backup and current time from the other Domain Controllers.

•During Active Directory replication, all entries have a sequence number, if the two domains have the same record, but with different sequence numbers, the most recent will be kept and replicated to the other. This is how the Active Directory gets to the most current state after a restore.

•The same applies to the File Replication Services. After a restore, if the FRSPRIMARYRESTORE option was not used, the SYSVOL data will get replicated from another Domain Controller and then the SYSVOL share will get created.


Restoring an entire Domain or Forest

•This section will cover special considerations to take when restoring an entire Domain or Forest.


Restoring an entire Domain or Forest

• In a disaster recovery scenario, it could be necessary to restore all the Windows Servers in the Domain and/or Forest.

•Special attention only needs to be put with the first Domain Controller restored in each domain where the FRSPRIMARYRESTORE option has to be used to restore SYSVOL on the first domain controller.

•Domain Controllers and other servers may also contain other essential services such as DNS, WINS and DHCP, just to name a few.

•Domain Controllers and other servers will require those essential services in order to function, therefore, the machines with essential services should be on top of the order of the machines to restore.

• If restoring multiple domains in a Forest, the trust relationship will be reestablished once each domain in the trust relationship are online.


Basic Troubleshooting

•This section will cover basic troubleshooting during a failed restore of Active Directory.


Basic Troubleshooting

•During the backup of System State and System Services, the TSM Client uses Microsoft’s Volume Shadow Copy Service (VSS).

• If there is a problem with VSS, the backup may fail with VSS errors. The following command can be used to see the state of the VSS writers:

• C:\> vssadmin list writers

•The above will list all the VSS writers and their state. If they are not in a stable state, the Event Viewer should be consulted for further information. Microsoft Support may need to be contacted for further assistance.


Basic Troubleshooting (continued)

•Following a Domain Controller recovery, errors in the Windows Event Viewer for FRS indicate that the server is prevented from becoming a domain controller due to problems with the SYSVOL share.

• In normal cases, this message will eventually be followed by another message indicating that SYSVOL has been shared and is no longer preventing the server from becoming a domain controller.

• If this does not happen, manual repairs to the SYSVOL structure may be required.

• In many cases, the SYSVOL directory structure can be repaired, and FRS will replicate in the correct contents of the SYSVOL.

•Microsoft article KB315457 provides details on how to rebuild the SYSVOL tree including the junction points which are required before a system can be returned to a domain controller.



• If there are errors during the restore, the first step will be to consult the dsmerror.log for more information on the nature of the problem.

• If the dsmerror.log points to a problem with the TSM Server, the TSM Server’s Activity Log should be reviewed.

•Any errors can be researched in the following:• IBM Tivoli Storage Manager Messages Version 5.4• IBM Tivoli Storage Manager Problem Determination Guide Version 5.4• IBM Tivoli Storage Manager Product support page



• It is possible that certain Windows services are not available after a restore.

• In such cases, the Event Viewer should be consulted for further explanation.

•Depending on the cause of the error, it may be necessary to further research the problem. Microsoft Support can be consulted for this:

• Microsoft Support

• If the problem is due to a component that was not restored properly, it will be necessary to review the TSM error log from the original backup to ensure the backup was successful.

• If the last backup was not successful, it may be necessary to restore from a previous backup.

• If no previous backups were successful, it will not be possible to perform a successful restore.


Q&A:

The operator will instruct you on how to ask your questions to the presenters.

tsm ad restore

Technology

active directory backup

corrupt active directory

successful backup

system state backup

directory services

deletedactive directory

tsm incremental backup

recent backup