Backing Up AD

Obviously, a number of third-party backup utilities have a lot of management and scripting features as well as centralized control and reporting, but the built-in backup utility, still often referred to as NTBackup, will do the job for most companies.

AD is contained in the system state and can be backed up while the DC or GC is online to a variety of media such as disk, CD/DVD, tape, or a network drive. Naturally, the size of your AD database will influence your choice of media to use. Backing up AD requires Backup Operator or Administrator privileges because it is held in the system state. To restore the system state, you must be a local Administrator. That is, you will be logged in to the DC in Directory Service Restore Mode (DSRM) as the Administrator. This is the account that DCPromo prompted for a password and if you were like many Administrators, you entered a password and never gave it another thought.

With a full system state backup of a DC or a GC, you have a number of options for restoring the entire directory, a tree of the directory, or even a single object. The trick is to determine which DCs to back up and what method to use to restore the desired data. The following sections provide details to help you make those decisions.

As noted in "The Disaster Recovery Plan" section, you need to determine what you are going to back up, or more specifically , the DCs you are to back up. You need only back up the system state to fully recover an AD domain. However, you should always think of the restore and backup of an AD forest as one task, because there are interdependencies between the domains. The system state includes

• The system Registry

• The system startup files

• SYSVOL

• The class registration database of COM+ objects

• The AD:

  • Ntds.dit, the AD database

  • Edb.chk, the checkpoint file

  • Edb*.log, the transaction logs, each 10MB

  • Res1.log and Res2.log, reserved transaction logs

Backing up the Windows Server 2003 OS is necessary only on certain key machines. As you'll see in the "Restore of Active Directory" section, in a worst case, to recover the entire forest all you need is a full backup of one DC from each domain; all other DCs will be rebuilt and DCPromo'd into the new structure. You might want to back up certain key DCs such as the Primary Domain Controller (PDC) Emulator for each domain (see the "Recovery of Operations Masters" section). In Windows 2000, it was also recommended that you back up a DC for each domain in each site, to prevent having to replicate over a Wide Area Network (WAN) to rebuild a DC. However, with Windows Server 2003's Install from Media (IFM) feature, described in Chapter 1, "Introduction to Windows Server 2003 and ProLiant Architecture and Tools," you can simply back up a single DC in each domain and ship it to the site on tape, disk, or DVD; or perhaps make it available on an FTP site. You should always back up two DCs in each domain in case one fails (corruption, media problems, and so on). Thus, with the backup of a single DC, a DC in any site could be built from the media, needing only to contact a DC across the WAN except for replicating changes since the media was created. This is a big deal for restoring GC servers, as noted previously in this chapter and in the "Global Catalog Improvements" section of Chapter 1.

If you are using the built-in Windows Backup utility, you should uncheck the Automatically Backup System Protected Files with System State option, as shown in Figure 11.1, to reduce the size of the backup file by about 400MB. On the Backup tab, after checking the System State box in the left pane, select the Start Backup button. In the Backup Job Information dialog box, select the Advanced button to produce the Advanced Backup Options dialog box. The Automatically backup System Protected Files with the System State check box is checked by default. Uncheck that box. Note that this is the dialog box where you can select the backup type. The AD backup should always be type Normal.