on 04-22-2011 01:08 PM
Protecting Windows Domain Controllers
Symantec System Recovery 2011 fully supports the backup and recovery of Windows Server 2003 and Windows Server 2008 Active Directory Domain Controllers in either standalone or domain forest environments. Backups created by Symantec System Recovery 2011 are referred to as recovery points. Key supported recovery operations for Active Directory Domain Controllers include the following:
Note: For detailed information on the specific Microsoft server platforms supported by Symantec System Recovery, please consult the Symantec System Recovery Software Compatibility List (SCL) available for download here: http://entsupport.symantec.com/umi/V-306-38.
Volume Shadow Copy Service (VSS) Integration
Symantec System Recovery 2011 (SSR) works in accordance with Microsoft best practices to protect Windows 2003/R2 and Windows 2008/R2 servers, including Active Directory Domain Controllers. Through integration with the Microsoft Volume Shadow Copy Service (VSS), SSR ensures that Active Directory Domain Controller databases are correctly prepared for backup, ensuring that the server can be recovered properly.
There are three communicators in the VSS framework:
Within the VSS framework, Symantec System Recovery 2011 (SSR) acts as a requestor. When preparing to capture a snapshot of a volume, SSR sends a message to the VSS writers to prepare the volume and associated VSS-aware processes for backup. This momentarily halts operations and the volume and associated processes enter a ‘silent’ or consistent state that is optimal for backups. Symantec System Recovery 2011 then executes a snapshot of the volume it’s protecting and captures backup data from those snapshots.
Upon completion of the snapshot capture process—only the momentary snapshot process, not the entire backup operation—SSR sends a message to the VSS writer that the snapshot is complete. The writer then notifies the volume and associated VSS-aware processes, and normal operations continue. SSR then proceeds to create recovery points of the protected volumes from the snapshots that have been captured.
The process whereby Symantec System Recovery 2011 (SSR) works with VSS to prepare server volumes and associated VSS-aware processes for backup is fully automated and is invisible to the user.
Note: If the ‘Perform full VSS backup’ advanced option is selected in the Symantec System Recovery backup job wizard, a request will also be sent to the VSS writer to truncate transaction logs (if needed). Using this option is highly recommended.
Resetting Domain Controller Invocation IDs and Preventing USN Rollbacks
An important element of properly backing up a domain controller is ensuring the backup process deals with the resetting of the domain controller’s Invocation ID. Each domain controller in a forest has a different Invocation ID, allowing each domain controller to be properly identified in the forest and allowing replication processes to proceed correctly. If a domain controller is recovered in a forest environment and its Invocation ID has not been reset, a USN rollback can occur causing replication problems and allowing old data to return to the domain environment.
Symantec System Recovery 2011 integrates with the Microsoft Volume Shadow Copy Service (VSS) to properly prepare domain controllers for backup. During a backup operation, the VSS writer ensures that the backup being created of the domain controller is flagged as a backup copy. If a domain controller is recovered from that backup (either to original hardware, dissimilar hardware, or to a virtual environment via P2V) it will request a new Invocation ID allowing it to rejoin the domain properly and avoiding replication problems such as USN rollbacks. This process is fully automated and requires no user intervention.
Best Practices When Protecting Active Directory Domain Controllers
Please consider the following recommendations and best practices when protecting Active Directory Domain Controllers with Symantec System Recovery 2011:
Restoring an Active Directory Domain Controller to Dissimilar Hardware
Symantec System Recovery 2011 can be used to restore Windows 2003 or Windows 2008/R2 Active Directory Domain Controllers to dissimilar hardware configurations. As described above, Symantec System Recovery 2011 interacts with the VSS service to prepare the domain controller and the Active Directory database for backup. Running with VSS disabled is not supported and causes domain controller failures upon restoration.
Automatic Detection and Installation of Critical Hardware Drivers
During a dissimilar hardware recovery operation, Symantec System Recovery’s Restore Anyware feature automatically detects and installs the following key driver elements of the new server hardware configuration to ensure the Active Directory Domain Controller functions properly under the new hardware configuration:
Windows Mini-setup
In addition, during a dissimilar hardware restore operation, Symantec System Recovery 2011 updates the volumes it is restoring such that the Windows mini-setup process will run during the first post-restore boot event. The Windows mini-setup process detects additional hardware changes and performs similar tasks that aid in the dissimilar hardware restore process.
Converting Active Directory Domain Controller Recovery Points to Virtual Format
Symantec System Recovery 2011 can also be used to convert recovery points of Windows 2003 or Windows 2008 Active Directory Domain Controllers to virtual format, including VMware (.VMDK) and Microsoft (.VHD)
Automatic Detection and Installation of Virtual Hardware Drivers
During a virtual conversion operation, Symantec System Recovery’s Restore Anywhere feature automatically detects and installs the required virtual driver elements of the selected virtual platform into the virtual disk file being created. This virtual driver injection process is very similar to the process used to restore recovery points to dissimilar physical hardware configurations. The process of injecting key virtual drivers for the selected virtual technology ensures the Active Directory Domain Controller will boot and function properly while running in virtual mode. The Virtual drivers added include the following:
Virtual Platform | Drivers Added During P2V |
VMware vSphere | • LSI SCSI Adapter (LSI_SAS.SYS) • VMware SCSI Adapter (vmscsi.sys) • VMware VMXNET NDIS driver (vmxnet.sys) |
Microsoft Hyper-V | • LSI Logic Fusion-MPT (TM) Driver • LSI Pseudo Device |
Windows Mini-setup
In addition, during a virtual conversion operation, Symantec System Recovery 2011 updates the volumes it is converting such that the Windows mini-setup process will run during the first post-restore boot event. The Windows mini-setup process detects additional virtual hardware components of the virtual machine and performs other tasks that aid in the virtual conversion process.
Summary
Symantec System Recovery 2011 fully supports the backup and recovery of Windows Server 2003 and Windows Server 2008 Active Directory Domain Controllers. This includes the ability to restore a domain controller to a bare metal configuration, to recover a domain controller to a dissimilar hardware configuration, to convert a recovery point of a domain controller to virtual disk format, and even to restore granular file and folder data from a domain controller recovery point.
Through integration with the Microsoft Volume Shadow Copy Service and the inclusion of the Restore Anyware feature, Symantec System Recovery ensures that domain controller volumes are properly protected and that the servers will boot and function correctly after a recovery or conversion event.
For More Information on Symantec System Recovery 2011
Product Website
Symantec Support Portal
Software Compatibility List
Related Microsoft Articles
Tombstone Lifetime
Maximum Password Age