Backing up Active Directory is essential to maintaining an Active Directory database. Users can back up Active Directory with the Graphical User Interface (GUI) and command-line tools that the Windows Server 2003 family provides.
Users should frequently backup the system state data on domain controllers so that they can restore the most current data. By establishing a regular backup schedule, there is a better chance of recovering data when necessary.
To ensure a good backup includes at least the system state data and contents of the system disk, the user must be aware of the tombstone lifetime. By default, the tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan to backup at least two domain controllers in each domain, one of at least one backup to enable an authoritative restore of the data when necessary.
System State Data
Several features in the windows server 2003 family make it easy to backup Active Directory. Users can backup Active Directory while the server is online and other network functions can continue to function.
System state data on a domain controller includes the following components:
- Active Directory system state data does not contain Active Directory unless the server on which the system state data is being backed up is a domain controller. Active Directory is present only on domain controllers.
- The SYSVOL shared folder: This shared folder contains Group policy templates and logon scripts. The SYSVOL shared folder is present only on domain controllers.
- The Registry: This database repository contains information about the computer’s configuration.
- System startup files: Windows Server 2003 requires these files during its initial startup phase. They include the boot and system files that are under Windows file protection and Windows uses them to load, configure, and run the operating system.
- The COM+ Class Registration database: The Class registration is a database of information about Component Services applications.
- The Certificate Services database: This database contains certificates that a server running Windows server 2003 uses to authenticate users. The Certificate Services database is present only if the server is operating as a certificate server.
System state data contains most elements of a system’s configuration, but it may not include all of the information required to recover data from a system failure. Therefore, be sure to backup all boot and system volumes, including the System State, when a server is backed up.
Restoring Active Directory
In Windows Server 2003 family, users can restore the Active Directory database if it becomes corrupted or is destroyed because of hardware or software failures. Restore the Active Directory database when objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways. Replication synchronizes the latest changes from every other replication partner. Once the replication is finished, each partner has an updated version of Active Directory. There is another way to get these latest updates by Backup utility to restore replicated data from a backup copy. For this restore it is unnecessary to reconfigure the domain controller or install the operating system from scratch.
Active Directory Restore Methods
Users can use one of the three methods to restore Active Directory from backup media: primary restore, normal (non authoritative) restore, and authoritative restore.
- Primary restore: This method rebuilds the first domain controller in a domain when there is no other way to rebuild the domain. Perform a primary restore only when all the domain controllers in the domain are lost to rebuild the domain from the backup.
Administrators group members can perform the primary restore on a local computer or the user should have been delegated with this responsibility to perform restore. Only Domain Admins can perform this restore on a domain controller.
- Normal restore: This method reinstates the Active Directory data to the state before the backup, then updates the data through the normal replication process. Perform a normal restore for a single domain controller to a previously known good state.
- Authoritative restore: perform this method in tandem with a normal restore. An authoritative restore marks specific data as current and prevents the replication from overwriting that data. The authoritative data is then replicated through the domain.
Perform an authoritative restore individual object in a domain that has multiple domain controllers. When an authoritative restore is performed, all changes to the restore object that occurred after the backup are lost. Ntdsutil is a command line utility to perform an authoritative restore along with windows server 2003 system utilities. The Ntdsutil command-line tool is an executable file that marks Active Directory objects as authoritative so that they receive a higher version of recently changed data and other domain controllers do not overwrite system state data during replication.
Got Something To Say: