cancel
Showing results for 
Search instead for 
Did you mean: 

Backup Exec - Active Directory Recovery Scenarios

Mike85
Level 3

Hi,

I am currently looking into creating a procedure for recovering AD under different scenarios:

  • Total loss of all DCs
  • AD corruption replicated throughout DCs
  • Accidental Deletion -This can be done using the correct licence and GRT.

In this environment, all the DCs are Virtual.

I have looked at a few different articles but all seem to vaguely reference Microsoft KBs for further research and not be that clear.

As I look after a few different environments, I deal with different backup technologies. One of them (I don't know if I can mention the name) has one KB that covers all the above scenarios and is mostly done via the backup software with relatively little user input (there are a couple of reg edits).

Does BE offer similar functionality with AD restores being carried out primarily via the BE console with little to no user input? If so can you point me in the right direction for the KB?

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

You have to put the system into Authortitaive mode BE does not do that for you

BE just restores either the System State of the complete VM (either of which contain AD at a point im time) how you then make the result authoritatve is then an MS issue and you should look at MS articles for authoritative vs vs non-authoritative as we don't really write in depth articles covering concepts that are really the OS/Microsoft's

and yes for a Vm you would recover the complete VM (instead of the System State) but  then take steps to put it into Authoritative before you let it communcate with other DCs (if you need the restore to be authoritative)

 

 

View solution in original post

4 REPLIES 4

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

So forgetting backups for a minute, loss of 1 DC in a multi-DC environment can usually be handled by understanding where your FSMO roles are (promoting an existing DC to take these if you lost the FSMO owner) and then just provisioning a new VM, promote it to a DC and let replication take it's correct course

For total loss of all DCs then if all your DCs are virtual do VM backups, with GRT enabled on at least 2 of the DCs and you can recover the DCs relatively quickly (restore the FSMO and DNS servers first if you can)

 

AD corruption kind of depends on the nature of the corruption - it could be just detemine the last VM backup before the coruption, restore a DC (FSMO owner recomended) and making it the authoritative before the other DCs can replicate into it (or restore the FSMO owner and build new virtual DCs as members to avoid any possibility) this would of course take the patch level on the restored DC  back to whatever it was before the corruption too (which might be a good thing) but would also take the machine accounts of the computers and servers in the network back to the time of the backup (which might mean some extra work resynching machine accounts for affected systems).

However there could be other types of AD corruption where a GRT restore of specific objects might be a better option.

Accidental Deletion of objects in AD is handled by GRT (hence do some GRT backups)

A couple of further points

1) make sure you know how to get your Backup Exec Server up and running if you lost this server

2) If using tapes or removable disks, try to keep records outside of Backup Exec of which critical backups used which tapes on which dates (covering at least the BE server, the FSMO owner DC, and potentially your mail and finance servers or other business critical servers.) If you do this and have lost the BE server as well as other critical servers it can help minimize how many tapes you have to work with manually to get operational. Once you get the BE catalogs and database restored into an operational BE server, you should be able to work out any required tapes etc.

 

 

 

 

 

 

Thanks for the quick reply Colin and valid points. 

I understand how to recover individual AD objects using GRT but am less sure about the complete AD recovery scenarios.

I was looking for a KB that walked through a step by step simplified process of full AD recovery specific to using BE.

I was also looking for more information about how BE handles DCs differently to other hosts, if at all. For instance if you restore an entire DC will it automatically reboot into DSRM and then reboot as normal? If the DC is a VM so SDR isnt available, do you just recover the entire VM? 

Thanks again!

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

You have to put the system into Authortitaive mode BE does not do that for you

BE just restores either the System State of the complete VM (either of which contain AD at a point im time) how you then make the result authoritatve is then an MS issue and you should look at MS articles for authoritative vs vs non-authoritative as we don't really write in depth articles covering concepts that are really the OS/Microsoft's

and yes for a Vm you would recover the complete VM (instead of the System State) but  then take steps to put it into Authoritative before you let it communcate with other DCs (if you need the restore to be authoritative)

 

 

Thanks for clearing that up!