Comprehensive data protection for all workloads
Unison
Enthusiast
Posts: 87
Liked: 16 times
Joined: Feb 17, 2012 6:02 am
Full Name: Gav
Contact:

Multiple Domain Controllers - How to Backup?

Post by Unison » May 14, 2012 3:40 am

Hi guys,
I have done a bit of searching around but couldnt really find a quality answer on this.
If i have multiple Domain Controllers - how should i be backing them up with veeam to ensure i can recover them both back to the exact same point in time?

If something goes wrong with one of your domain controllers and you need to restore it - then you must also be able to restore all other DCs to the exact same point in time otherwise your going to get AD corruption, UNC Roll back issues etc etc...
If you cant restore all DCs back to the same time then you may as well not even bother doing the restore.

With veeam i tried adding the two DCs to the same backup job, but it backs up one VM, and doesnt backup the second VM until the first is done.....so they will be well out of synch by then. Now i have created two separate backup jobs - one for each DC. I created the jobs a quickly as i could and both are set to backup hourly.....their 'next run time' shows only about 40 seconds in between - which is pretty close but i fear that there will still be inconsistencies between the two DCs if i ever had to restore them both back to a point in time.

Is there any way to force both the jobs to run at the exact same time? So that the snapshot is captured at the exact same point?

Vitaliy S.
Product Manager
Posts: 21998
Liked: 1352 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by Vitaliy S. » May 14, 2012 8:57 am

Hi Gav,

Here is the procedure you should follow while restoring multiple DCs into a fresh environment where no other/existing DCs are available:
Active Directory and DR Site
Unison wrote:Is there any way to force both the jobs to run at the exact same time? So that the snapshot is captured at the exact same point?
Currently it is not possible because of the reasons described in this thread: Synchronized VM's backup/replication

Hope this helps!

zoltank
Expert
Posts: 215
Liked: 33 times
Joined: Feb 18, 2011 5:01 pm
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by zoltank » May 14, 2012 11:33 am

What version of Windows are your domain controllers?

Unison
Enthusiast
Posts: 87
Liked: 16 times
Joined: Feb 17, 2012 6:02 am
Full Name: Gav
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by Unison » May 14, 2012 11:35 pm

Thanks Vitality,
From that post i understand now that veeam is just requesting the snapshot to take place so even if i could force them to start at the exact same time, the actual snapshot might not happen at the same time.
I suspect for this case, i will just have to rely on the fact that both DCs are backed up with VSS enabled and when they are both recovered together - they will both recognise that they are 'recovered DC's' and they will 'retire' their USN identifiers and start a new set (they both did this successfully when i p2ved them with vmware converter - so hopefully they will do the same with veeam - i will test this too shortly by recovering to an isolated network.). Both are server 2003. I separated isolated each of them then p2ved them one at a time - then joined them back together in the virtual environment. The directory services log in both DCs reported knowing that the DC was 'recovered' and that the UNC identifiers of both DCs was successfully retired - using repadmin i could then see the retired UNC numbers and the new UNC number sets for both DCs and that they were successfully synching and updating with each other.
When i test the restore of both DCs to the isolated vswitch, i will test that the same thing happens. I will keep these two DCs backing up hourly together - as close as possible, because if i ever do have to recover one of them, i will choose to recover both. Would you recommend that too or is it really not necessary? Because of VSS, just the one recovered DC will 'catch up' to the good DC because it will copy back all the changes using the different UNC numbers - this would work for just a DC but not a DC that holds all the roles and GC?

Zoltank - both DCs are 2003 - do you have something to add?

Thanks guys

Gostev
SVP, Product Management
Posts: 23602
Liked: 3112 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by Gostev » May 15, 2012 8:12 pm 1 person likes this post

Actually, it is almost the opposite.

Single failed DC:
Just do normal full VM restore from earlier backup. This would result in automated non-authoritative restore, and the restored DC will sync up with the other DCs automatically. There is huge topic about this around here with more details on this scenario.

Whole Active Directory restore:
1. First, perform authoritative restore of a DC from backup before corruption occurred. This is a manual process (look for an existing topic), and it will push the directory state from the restored DC to all other live DCs
2. Then, if needed also restore all non-functioning DCs normally (from earlier backups than the one that was used for authoritative restore).

I cannot vouch for the whole directory recovery process, as it really quite beyond our product and requires really good knowledge of AD (which I once had in the previous life, but forgot most things by now). But I can vouch for the single failed DC restore scenario (as this is most common restore scenario, and is exactly what you will need to do in 99.9% of cases).

Unison
Enthusiast
Posts: 87
Liked: 16 times
Joined: Feb 17, 2012 6:02 am
Full Name: Gav
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by Unison » May 17, 2012 12:58 am

Thanks Anton,
I will change my restore strategy for DCs.
No need to be backing them up as close together as possible. With the more likely single DC failure, i can just recover that one from a past point in time - AD will then catch it up using the still running and good DC on the network.
In the event both DCs are toast or AD gets corrupted - I will just recover one DC to just before the issue occurred....and recover the second DC to a point before the recovery time of the first recovered DC (putting it behind the first recovered DC but it will then catch up).

Thanks for the clarity Anton :)

aeccles
Enthusiast
Posts: 80
Liked: 6 times
Joined: May 01, 2012 3:00 pm
Contact:

[MERGED] : Should Domain Controllers be backed up in the sam

Post by aeccles » Jun 17, 2013 4:20 pm

I was going over a restore scenario and started to wonder if backing up my Domain Controllers at different times during the night (currently 4 hours between jobs) could result in issues if I ever needed to do a full network restore. For Example if I backup DC1 at 6pm and 2 account changes are done at 7pm and then DC2 backs up at 10pm.

When I restore, DC1 could end up running for a while before DC2 is completely restored (Has an archive file store in my case of 500gb). If changes were made to my restored DC1 before DC2 is online, could they end up in an inconsistent state?

And if so, can I remedy this by putting them in the same job?

Thanks

v.Eremin
Product Manager
Posts: 15764
Liked: 1240 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by v.Eremin » Jun 17, 2013 4:35 pm

You have been merged to the existing thread regarding similar issue; so, kindly take a look at the answers provided above.

As to your questions, there is no particular need to backup both DCs at the same time. In case of full AD restore, just use the backup that occurred closer to the time when an issue appeared and sync the second DC with it later.

Thanks.

aeccles
Enthusiast
Posts: 80
Liked: 6 times
Joined: May 01, 2012 3:00 pm
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by aeccles » Jun 17, 2013 5:19 pm

Thanks Eremin, That does answer my specific question. I have a related follow-up however.

After reading all of the related posts, I am a bit confused as to what the agreed upon method (Authoritative vs. Non-Authoritative) is for DC recovery in a disaster scenario in which all DCs(Server2008) must be fully recovered into a new enviornment.

From what I understand, the best method is to:
1) Restore the most recently backed up DC first in the default non-authoritative mode (as you mentioned.)
2) Wait 20-30 minutes for the process to complete
3) Perform a authoritative SYSVOL restore - http://msdn.microsoft.com/en-us/library/cc507518 (VS.85)
4) Restore the other DC, again in the standard non-authoritative mode

Does that sound correct?

v.Eremin
Product Manager
Posts: 15764
Liked: 1240 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by v.Eremin » Jun 18, 2013 8:44 am

Yep, you’ve got the point right.
Restore the most recently backed up DC first in the default non-authoritative mode (as you mentioned.)
The process of restoring domain controller in non-authoritative mode will handled for you by Veeam Backup and Replication.

Thanks.

HussainMahfood
Enthusiast
Posts: 35
Liked: 7 times
Joined: Jun 24, 2013 9:43 am
Full Name: Hussain Mahfood
Contact:

[MERGED] : Veeam 6.5 with latest patch and DCs restore

Post by HussainMahfood » Jun 24, 2013 9:58 am

I know that Veeam it has its own way to the restore of the DCs. but is there any sequence or KB to the way that we need to follow for restoring two DCs.

We have 2 DCs one running 2012 and one running 2008 r2 the forest running in 2008r2 mode. The PDC is 2008 r2 when we restore both to the test environment that is separated from production. nothing works...

*DC with 2008 r2 run in normal mode but DC services are not functional. while it is running if I restarted the Active Directory domain services service. it run for awhile like 5 to 10 minutes then stopped again. :evil:

*DC with 2012 run all the time in safe mode and using the commands mentioned in the

note: I use application aware during the backup

Veeam it should have a clear steps for the DC restore

foggy
Veeam Software
Posts: 17391
Liked: 1443 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by foggy » Jun 24, 2013 11:26 am

Hussain, please review the thread you've been merged into for details on restoring multiple DCs in a completely new environment. If you still have any questions, feel free to ask here. Thanks!

HussainMahfood
Enthusiast
Posts: 35
Liked: 7 times
Joined: Jun 24, 2013 9:43 am
Full Name: Hussain Mahfood
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by HussainMahfood » Jun 24, 2013 1:16 pm

Thanks for the merge
Executed the following command:

ntdsutil
ntdsutil: activate instance ntds
ntdsutil: authoritative restore
ntdsutil authoritative restore: "restore database" (can not execute this command in windows 2008 r2)


what to do ?

HussainMahfood
Enthusiast
Posts: 35
Liked: 7 times
Joined: Jun 24, 2013 9:43 am
Full Name: Hussain Mahfood
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by HussainMahfood » Jun 25, 2013 2:18 pm

I am stuck at the authoritative restore. where I need to issue command

restore database. it is not available in windows 2008 r2 any help ????

HussainMahfood
Enthusiast
Posts: 35
Liked: 7 times
Joined: Jun 24, 2013 9:43 am
Full Name: Hussain Mahfood
Contact:

Re: Multiple Domain Controllers - How to Backup?

Post by HussainMahfood » Jun 26, 2013 7:01 am

created a case number Case # 00256753. will update you once I found a solation.

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 26 guests