Subscribe to Windows IT Pro
September 26, 2008 12:00 AM

Windows Server Backup for Active Directory

Snapshots add to flexibility
Guido Grillenmeier
Windows IT Pro
InstantDoc ID #99967
Rating: (1)

Backing Up a DC
The first step toward backing up a DC is to install Windows Server Backup on your Server 2008 system. On a full server installation, using Server Manager’s Add Features Wizard is the easiest approach. On a Server Core system, execute the command

ocsetup WindowsServerBackup

Before you perform any backups, you need to configure the Optimize Backup Performance settings for Windows Server Backup. You can find these settings in the Windows Server Backup menu’s task pane or by right-clicking the Windows Server Backup node under Storage in the Server Manager tree. By default, Windows Server Backup always performs a full backup, but as Figure 2 shows, you can configure it to perform incremental backups. Unfortunately, Server Core offers no command-line option to help you configure the settings. Microsoft recommends connecting to the Server Core box from a full server running Windows Server Backup and configuring the settings remotely.

The Optimize Backup Performance settings let you specify whether Windows Server Backup should keep or erase the VSS snapshots that it automatically creates on the source disk during each backup cycle. When you choose incremental backups, you choose to keep the snapshots on the disk; when you choose full backup, the snapshots are erased after the backup is finished. Keeping the snapshots lets the system automatically track changes on the source disk at runtime. However, tracking changes requires VSS to copy the original block to the shadow copy area before overwriting the source block. That procedure initiates extra disk activity and requires additional space on the source disk. On servers with write-intensive applications, keeping the shadow copies can slow disk performance.

Which option should you choose for your DCs? Incremental backups are better for two reasons. First, DCs are much more often read from rather than written to, so they tend not to be write intensive and don’t take much of a performance hit from the VSS activity. Second, you can use the shadow copies for other AD recovery options. For each of your hard disks, you can configure the amount of space devoted to snapshots by using the Microsoft Management Console Disk Management snap-in or the vssadmin .exe command-line tool, both of which are installed with the OS.

On a full-server system, you can configure a backup with a few simple choices in the Windows Server Backup UI. On Windows Server Backup’s Action menu, click Backup once to launch the Backup Once Wizard and let it guide you through the configuration process. When you reach the Select backup items page, make sure that the Enable system recovery check box is selected to ensure recovery of the AD database. The Enable system recovery option backs up all volumes that contain systemstate data. Note that you can also schedule a backup; however, this option requires a dedicated local disk that’s used only by Windows Server Backup.

The best way to deploy DCs, however, is on a Server Core system, as it is more secure by default and thus reduces the attack surface on your DCs. But of course, a Server Core deployment means that you have to do most administration through the command line. Here’s how to perform a backup from the command line:

1. To back up the full system, including all critical volumes (i.e., those that contain system data such as the AD database), thus allowing bare-metal recovery, run the command

WBADMIN Start Backup –backupTarget:D:
  -allCritical

replacing D: with the target drive on which you’ll store the backup. If the target is a network location, enter the Universal Naming Convention path to the share (e.g., \\Server2.corp.net\BackupData).

2. To back up only the system state, use the command

WBADMIN Start SystemStateBackup
  –backupTarget:C:

Note that this command doesn’t require the -allCritical option; the Start System- StateBackup command always backs up all system data.

With either command, the result is a folder on the target named WindowsImageBackup. The folder contains a subfolder with the server’s short name (“W2K8Full04” in Figure 3). The actual backup data is stored in the server folder, primarily in a VHD file that contains all the blocks of data. Some XML files hold registry and other settings. You can copy the whole WindowsImageBackup folder to a different location (on the network or on disk), but you must keep the same folder structure to allow the recovery process to find the backup data.

Unless you’re using the DC for many other functions (which is most likely for small-to-midsized businesses) and have no opportunity to back up the full system to a local drive, there isn’t much point in creating just a system-state backup for DCs. A full system backup of a Server 2008 DC that doesn’t host a plethora of other services (which is the optimal case for writeable DCs) typically isn’t much larger than a system-state backup of the same machine. More important, with a full system backup you can perform incremental backups, which you can’t when using the system-state backup option. Incremental backup saves considerable time and disk space if you want to keep multiple backup versions on your target disk. Also, you can use full-system-backup files to perform a system-state recovery.

Performing a Complete DC Recovery
Recovering a Server 2008 DC from scratch with Windows Server Backup involves a few more steps than does performing the backup. But compared to the process for earlier Windows OSs, which used Ntbackup to perform full system recoveries, the new process is fairly simple: It doesn’t require you to first reinstall the OS, but simply applies the image of the system volume(s) stored in the backup’s VHD file(s).

1. Boot the server from Server 2008 installation media. Doing so boots the server into the same Windows Preinstallation Environment session that you use to deploy a new Server 2008 instance.

2. At the Install Windows screen, choose Repair your computer at the bottom left. This option starts the Windows Recovery Environment (Windows RE), which lets you perform various repair and recovery tasks on the server. Windows RE tries to determine which OS is installed on the server and requires access to the local disks at this time; if necessary, you can load drivers from CD, DVD, USB, or the floppy drive.

3. After Windows RE finds and selects your OS, click Windows Complete PC Restore to do a full system recovery. The Windows Server Backup restore procedure searches the local, USB, and DVD drives for the disk-based backup media to use as the source for the system recovery. You can also manually connect to a network share to recover the system from a backup stored on a remote machine.

4. Choose the backup source you want to use for the actual recovery operation. A complete recovery wipes all data from the target disk and performs a block-level restore. If your system has multiple volumes, you can choose to recover specific volumes; only those you choose to recover will be erased during the recovery procedure. You’ll be prompted to acknowledge the erasure of all data on the target disk before the recovery proceeds.

5. After completing the restore, the system will automatically reboot the DC and bring it back online. The DC will then synchronize with AD to replicate all changes that were made since the backup was performed.

Combining a full system recovery of a Server 2008 DC with an authoritative restore of objects (e.g., to recover an accidentally deleted object) requires special precautions. You need to ensure that the server boots into DSRM (press F8 during the boot sequence to choose DSRM) immediately after the system recovery is complete (i.e., before replicating with other DCs). Server 2008 still requires DSRM to allow access to the AD database for performing authoritative restores using the Ntdsutil tool. This process hasn’t changed from earlier OS versions.

Performing a System-State Recovery
If you need to recover only AD, you can restore just the DC’s system state. However, a system-state restore requires a fully operational OS. Also, because the Windows Server Backup UI doesn’t support a systemstate restore, you need to use the Wbadmin command-line tool. A system-state recovery of a Server 2008 DC is a bit tedious because you must use the command line, but the process is similar to that of restoring the system state of an earlier version of Windows.

1. Boot the DC into DSRM by pressing F8 during the boot sequence and use the recovery password to log on as Administrator. If necessary, you can recover the system state to a brand-new, similarly configured Server 2008 server on which the Windows Server Backup feature is installed.

2. Open a command prompt and locate available backup versions via Wbadmin by using the command

wbadmin get versions
  -backupTarget:drive_or_share
  machine:servername

where drive_or_share is the path to the backup target and servername is the name of the machine being restored. The output will resemble that in Figure 4.

3. From the output, identify the backup version to use for the system-state recovery. You can recover the system state from any backup that lists System State in the Can Recover line. Copy the version identifier (e.g., 01/27/2008-15:18) for use in the next step.

4. Start a system-state recovery of the desired backup version using the following Wbadmin command:

wbadmin Start SystemStateRecovery
  -version:versionID
  backupTarget:drive_or_share
  machine:servername

where versionID is the version identifier from the Get Versions output. When prompted, confirm the recovery. Wbadmin will mount the backup’s VHD file and copy the required files to the source drive. Be prepared: A system-state restore can take considerably longer than a full-volume recovery, which is block-based.

5. After recovery, the server will want to reboot. If you want to perform an authoritative restore of AD objects, don’t reboot until you’ve run Ntdsutil with the appropriate options.

6. Reboot the system to replace all files that were in use during recovery. Rebooting takes time, and the server might have to reboot more than once to replace specific files and complete the system-state recovery, but rebooting is an important part of the recovery process. Successful systemstate recovery is confirmed by a command prompt at the first logon after rebooting.

Forest Recovery Considerations
With this background information, you should be well prepared to plan your own DC backup and recovery. This information might even affect how you plan to set up the volumes used on a DC for data and for backup, because you’ll need a separate target volume for your backups when using the full-system backup method. I recommend performing a volume-based fullsystem backup over a system-state backup if your DC configuration allows it—a fullsystem backup is more efficient and lets you perform fast incremental backups. Both methods let you restore just the system state (which is required to restore the AD database on a DC). However, a volume-based system recovery outperforms a file-based system-state recovery.

Forest recovery continues to be a special challenge, which I don’t have room to go into here. But as long as you back up your DCs regularly and have at least two DCs per domain in your forest, you’re prepared to perform a forest recovery as well.

A major benefit of Server 2008 is that ideally you’ll deploy writable DCs only within your well-connected hub sites and use RODCs in all locations outside of your hub data centers that contain DCs. The benefits of using RODCs include a smaller attack surface and improved security for your overall IT infrastructure. However, RODCs also provide benefits from a forest-recovery perspective because they don’t require the same attention as writeable DCs during recovery. RODCs can’t replicate data to the hub, and that makes for a much smoother and faster forest recovery. RODCs help you concentrate on your hubs and recovering your DCs without worrying about interference from remote DCs. After the hubs are online and working, you can tackle the RODCs at the remote sites.

Taming the AD Backup Beast
AD backup and recovery is still a complex process in Server 2008. You have powerful new options to help you with this task, but you need to learn how to use them correctly. In an upcoming article, I’ll explain how VSS snapshots provide a feasible way to recover attribute data from AD, letting you implement a real online recovery of objects that you might have accidentally deleted. I’ll also show you some new options in Server 2008 that help prevent accidental deletion of AD data.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Paul
    4 years ago
    Sep 27, 2008

    Great job. Very useful. Speaking from personal experience the bare metal recovery works better than expected.

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.