Sign in with
Sign up | Sign in
Your question

Drive Imaging and AD

Tags:
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
June 14, 2005 4:11:22 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Are there any specific problems with regards to drive imaging and active
directory?

I am thinking of having a regular drive image taken of my servers system
drives for quick recovery purposes. This is likely to be once per month
plus an image prior to any major hardware/software change. Im choosing
once per month due to not wanting to be near the AD tombstone 60 day
period as well as not being too onerous a job that will become a pain in
itself!

I take tape backups daily and as well as system drives and data they
include the system state so I was thinking a restored image + restore of
most recent system state should get me back to the most workable
position unless there are major hardware changes.

That be about right?

More about : drive imaging

Anonymous
June 14, 2005 4:11:23 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Are there any specific problems with regards to drive imaging and active
> directory?

As long as you can get a consistent (file and record locking etc.)
image that is fine.


> I am thinking of having a regular drive image taken of my servers system
> drives for quick recovery purposes. This is likely to be once per month
> plus an image prior to any major hardware/software change.

Fine, just realize that they are only good for about 2 months
(on DCs the tombstone lifetime defaults to 60 days.)


>Im choosing
> once per month due to not wanting to be near the AD tombstone 60 day
> period as well as not being too onerous a job that will become a pain in
> itself!

And that 30 days is a pretty long interval if you make AD
changes so you might consider system state backups on
a much more frequent basis.

> I take tape backups daily and as well as system drives and data they
> include the system state so I was thinking a restored image + restore of
> most recent system state should get me back to the most workable
> position unless there are major hardware changes.

Then it can't hurt. BTW, most people never TEST their backups
and are then disappointed to find that they are worthless, more
often than one would expect.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"jas0n" <no@email.here> wrote in message
news:MPG.1d1822f1381bb9d69896a6@news.microsoft.com...
>
> That be about right?
Anonymous
June 14, 2005 2:11:55 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Drive imaging is a solution for AD backup purposes under only three very
constrained situations -

1. You have only 1 DC
2. You have drive imaged all DCs in all domains in the entire forest at
precisely the same time and will restore all DCs from those images
simultaneously
3. You have imaged a DC representing each partition within the forest
and are prepared to forcibly demote, metadata clean and re-introduce ALL
other DCs

It seems that this question is haunting me at the moment as I've been
asked it more times than I count over the past 2 weeks or so (TechEd
being the primary source). Restoring an imaged DC outside of the
constrained scenarios above causes an issue known as USN rollback and
will almost certainly leave your forest in an inconsistent state
....worse, the forest will believe itself to _be_ consistent. It is
neither supported nor recommended.

Note that this also applies to any form of backup that does not inform
the Directory Service that it has been restored (this requires a GUID
known as the Invocation ID to be regenerated).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

jas0n wrote:
> Are there any specific problems with regards to drive imaging and
> active directory?
>
> I am thinking of having a regular drive image taken of my servers
> system drives for quick recovery purposes. This is likely to be once
> per month plus an image prior to any major hardware/software change.
> Im choosing once per month due to not wanting to be near the AD
> tombstone 60 day period as well as not being too onerous a job that
> will become a pain in itself!
>
> I take tape backups daily and as well as system drives and data they
> include the system state so I was thinking a restored image + restore
> of most recent system state should get me back to the most workable
> position unless there are major hardware changes.
>
> That be about right?
Related resources
Anonymous
June 14, 2005 5:04:21 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> It seems that this question is haunting me at the moment as I've been
> asked it more times than I count over the past 2 weeks or so (TechEd
> being the primary source). Restoring an imaged DC outside of the
> constrained scenarios above causes an issue known as USN rollback and
> will almost certainly leave your forest in an inconsistent state
> ...worse, the forest will believe itself to _be_ consistent. It is
> neither supported nor recommended.

How does a normal (tape/disk) backup work differently?
Anonymous
June 14, 2005 6:49:04 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

They alter the Invocation ID within the DIT during the restore ...

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Herb Martin wrote:
>> It seems that this question is haunting me at the moment as I've been
>> asked it more times than I count over the past 2 weeks or so (TechEd
>> being the primary source). Restoring an imaged DC outside of the
>> constrained scenarios above causes an issue known as USN rollback and
>> will almost certainly leave your forest in an inconsistent state
>> ...worse, the forest will believe itself to _be_ consistent. It is
>> neither supported nor recommended.
>
> How does a normal (tape/disk) backup work differently?
Anonymous
June 14, 2005 7:02:18 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

As an aside, the Invocation ID is also altered on a 2003 DC when an app.
NC is added, removed and later re-added. This is the motivation for the
existence of the msDS-RetiredReplNCsignatures (or something along the
lines of that name), it records the NCs held by a particular DC for its
lifetime (maintained by a DC's NTDSDSA instance I believe).

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Herb Martin wrote:
>> It seems that this question is haunting me at the moment as I've been
>> asked it more times than I count over the past 2 weeks or so (TechEd
>> being the primary source). Restoring an imaged DC outside of the
>> constrained scenarios above causes an issue known as USN rollback and
>> will almost certainly leave your forest in an inconsistent state
>> ...worse, the forest will believe itself to _be_ consistent. It is
>> neither supported nor recommended.
>
> How does a normal (tape/disk) backup work differently?
Anonymous
June 14, 2005 7:36:54 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Dean Wells [MVP] wrote:

> Drive imaging is a solution for AD backup purposes under only three very
> constrained situations -
>
> 1. You have only 1 DC
> 2. You have drive imaged all DCs in all domains in the entire forest at
> precisely the same time and will restore all DCs from those images
> simultaneously
> 3. You have imaged a DC representing each partition within the forest
> and are prepared to forcibly demote, metadata clean and re-introduce ALL

How about restoring the server from the ghost image(unplugged from
network). Then doing a non-authoritative system state restore from
backup then replugging it back into network? Is this likely to work?

(obviously dependent on taking nightly backups, and regular ghosts)


--
Chris Salter
Anonymous
June 14, 2005 7:36:55 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Why use Ghost to restore it if you already have a System-State backup to
hand?

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Chris Salter wrote:
> Dean Wells [MVP] wrote:
>
>> Drive imaging is a solution for AD backup purposes under only three
>> very constrained situations -
>>
>> 1. You have only 1 DC
>> 2. You have drive imaged all DCs in all domains in the entire forest
>> at precisely the same time and will restore all DCs from those images
>> simultaneously
>> 3. You have imaged a DC representing each partition within the forest
>> and are prepared to forcibly demote, metadata clean and re-introduce
>> ALL
>
> How about restoring the server from the ghost image(unplugged from
> network). Then doing a non-authoritative system state restore from
> backup then replugging it back into network? Is this likely to work?
>
> (obviously dependent on taking nightly backups, and regular ghosts)
Anonymous
June 17, 2005 3:54:59 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In article <1118759815.26451.0@sabbath.news.uk.clara.net>,
chriss@hotmail.com says...
> Dean Wells [MVP] wrote:
>
> > Drive imaging is a solution for AD backup purposes under only three very
> > constrained situations -
> >
> > 1. You have only 1 DC
> > 2. You have drive imaged all DCs in all domains in the entire forest at
> > precisely the same time and will restore all DCs from those images
> > simultaneously
> > 3. You have imaged a DC representing each partition within the forest
> > and are prepared to forcibly demote, metadata clean and re-introduce ALL
>
> How about restoring the server from the ghost image(unplugged from
> network). Then doing a non-authoritative system state restore from
> backup then replugging it back into network? Is this likely to work?
>
> (obviously dependent on taking nightly backups, and regular ghosts)
>
>
> --
> Chris Salter
>

Yes, thats how I would have tackled it ....
Anonymous
June 17, 2005 3:58:49 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In article <uC$DniPcFHA.2664@TK2MSFTNGP15.phx.gbl>,
dwells@mask.msetechnology.com says...
> Why use Ghost to restore it if you already have a System-State backup to
> hand?
>
>

my thinking for an image is if the file system is toasted it would be
quick to restore the image and then a non authorative restore of the
system state whilst the system was off the network ... at which point
plug it back in

would that work?

..... i am soon to have a test server to start doing some thorough DC and
exchange server restore testing from existing ultrium backups
Anonymous
June 17, 2005 3:58:50 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes.

--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

jas0n wrote:
> In article <uC$DniPcFHA.2664@TK2MSFTNGP15.phx.gbl>,
> dwells@mask.msetechnology.com says...
>> Why use Ghost to restore it if you already have a System-State
>> backup to hand?
>>
>>
>
> my thinking for an image is if the file system is toasted it would be
> quick to restore the image and then a non authorative restore of the
> system state whilst the system was off the network ... at which point
> plug it back in
>
> would that work?
>
> .... i am soon to have a test server to start doing some thorough DC
> and exchange server restore testing from existing ultrium backups
!