Windows 2003 Dcpromo

Scheduled System State Backups
To facilitate quick recovery of DCs, you should perform daily system state backups of at least one GC in each AD site for each domain that has a DC present in that site. You can use simple shell scripting to centrally manage and deploy a large number of scheduled DC backups. The script relies on the schtasks.exe command-line utility, which Windows 2003 and Windows XP include in the %windir%\system32 directory. Schtasks.exe is similar to NT's at.exe command, in that it lets you remotely manage schedule jobs. However, schtasks.exe is much more robust than at.exe. If you're trying to push out scheduled jobs to systems in trusted domains and you're using trusted domain accounts for the scheduled job's user context, schtasks.exe will fail to apply the account information to the scheduled job. To avoid this problem, deploy scheduled jobs from a system within the same domain as the target systems, and use service accounts from within the same domain. Another consideration is that you can't use schtasks.exe to create a local scheduled job under the context of a different account from the locally logged-on account. Therefore, to programmatically manage your system state backups, you should run SSBU-Control.bat on a server that's not in use (e.g., a domain member server). Web Listing 1 (http://www.winnetmag.com, InstantDoc ID 39767) contains this script.

SSBU-Control.bat is the engine that controls the entire process of deploying and verifying the backups and schedule jobs. Specifically, it verifies the existence of a "system-state-backup" scheduled job on any number of DCs. If the scheduled job doesn't exist, SSBU-Control.bat creates a new one automatically and logs the event to a file. The script also creates the necessary folder structure on the target DC and copies to the DC a couple of files needed to configure the backup. Further, the script verifies that a system state backup file exists on each DC and logs the details—including the file-modification date—to a central file for viewing or emailing. For example, the target directory on the DC is J:\system-state-backup\job. When the scheduled backup job runs, the backup will automatically create the backup file in J:\system-state-backup.

You must run SSBU-Control.bat under the context of the same service account you use for the system state backup jobs you're deploying. Doing so prevents conflicting credentials on the target server at script runtime. If you run the script manually within a command session, make sure that the command session is running under the context of the service account.

The steps for using shell scripting to set up scheduled system state backups are as follows:

1. Copy and customize SSBU-Control.bat. Be sure to edit the variables at the top of the file to customize it to your environment. I recommend that you store the backups on a drive other than the drive that contains your directory. In the event of a DIT drive failure, you'll still have the backup file available for recovery.
2. Create a batch file called ssbu.bat, which Web Listing 2 shows (http://www.winnetmag.com, InstantDoc ID 39767), that contains the command contents. SSBU-Control.bat will automatically copy this batch file to the DC and run the batch file locally on the DC to perform the backup. Make sure that the BKDrive variable at the top matches your target drive letter. Also, note that the backup time in this file is set for 2 a.m. If this time isn't suitable, insert a more convenient time. For further details about scheduling backups, see "Scheduling Command-Line Win2K Backups," September 2002, http://www.winnetmag.com, Instant Doc ID 25961.
3. Set up a service account in the local domain with privileges to back up the system state data and access the share point where the backups will reside. Ssbu.bat requires access to the J$ share on the DC. You can use the variables at the top of ssbu.bat to modify the share point.
4. On your source server (i.e., the server you want to use for managing the system state backups), create the C:\scripts\ssbu folder. This folder is the source directory.
5. In the source directory, create a file called dclist.txt that contains a list of DCs you want to back up. Each line in the file should contain the name of only one server. You can use either Fully Qualified Domain Names (FQDNs) or NetBIOS names, assuming name resolution in either scenario is working correctly in your environment.
6. Create a backup file named system-state-backup.bks. To do so, start NTBackup and click Advanced Mode on the first screen. On the next screen, go to the Backup tab and select the System State check box. Under the Job menu, select Save Selection As and save the file with the name system-state-backup.bks to the source directory. This file tells NTBackup what to back up.
7. Make sure that schtasks.exe is in either the source directory or the path. I used schtasks.exe version 5.1.2600.0 in SSBU-Control.bat. This version runs on Windows 2003, XP, and Win2K.
8. Create a scheduled job on your management server that runs SSBU-Control.bat once per day. This automated script will help you sleep better because you'll know that your scheduled system state backup jobs are in place and running properly. If a backup job is missing from a DC, the script fixes the problem and logs the information to a file. The SSBU_JOB_STATUS.txt file shows the backup job status on all DCs, and the SSBU-Log.txt file lists each DC and the system state backup files, so you can verify that the backup files are current and the appropriate size. Simply review these files each day.

Breathe Easier
DC promotions have come a long way since the early days of NT. Forced demotion and promotion from media give you new options for managing the deployment and disaster recovery of DCs and GCs. These new features, coupled with the ability to use schtasks.exe and NTBackup to deploy and maintain your system state backup jobs from a central location, will greatly simplify your job.