need Advice & Ideas on taking AD backup manually
-
Saturday, March 31, 2012 1:53 PM
Hi,
I want to create a Backup and Restore app...So i need to store the AD objects(User,Computer,Groups & contact)...
On Backup:
While taking the backup copy of any object what are the essential properties need to be saved? and what are the properties are not worthy to save?
On Restore:
If i want to restore the Deleted objects means i have to create a new object with same set of attributes except some unique properties... so SID& Guid will be different any way ...will it cause any issue?
All Replies
-
Saturday, March 31, 2012 5:06 PM
In case of a domain controller backup and restore, the file which contains the AD database is called ntds.dit (%SystemRoot%\ntds\NTDS.DIT). The ntds.dit file is the heart of Active Directory including user accounts. Active Directory's database engine is the Extensible Storage Engine ( ESE ). Backup programs back this file up which is part of the system state backup. Additionally a system state backup also contains the SYSVOL folder under system root which holds all the group policy objects.
Refer to this article for details -
Active Directory Backup and Restore
http://technet.microsoft.com/en-us/library/bb727048.aspxAre you developing a custom application for AD object level backup/restore?
Sachin Gadhave
-
Sunday, April 01, 2012 7:10 AM
Hi Sachin,
I dont want to backup the entire AD...i am going to backup the AD objects(User,computer,groups,contact) in a particular OU...
-
Sunday, April 01, 2012 10:26 AM
I thought so!
Visit this link for a complete list of user attribute that you want to consider backing up -
User Attributes - Inside Active Directory
http://www.kouti.com/tables/userattributes.htmSimilarly you can use the adsiedit.msc (default tool on DC's) to get the attribute list for other class objects like computer account, groups etc. you will find help on adsiedit.msc here-
http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx
HTH
Sachin Gadhave
-
Sunday, April 01, 2012 1:47 PM
there is no way to only backingup ou.but you can use the active directory recycle bin for restoring deleted items(forest functional level should be 2008r2).other wise you have to get the system state backup.but using some backup software such as symantec backup exec you can restore ou,user,computer
more about ad recycle bin-
http://darshanaj.wordpress.com/2011/11/29/active-directory-recycle-bin/
Darshana Jayathilake
- Marked As Answer by Rick TanModerator Thursday, April 05, 2012 5:46 AM
- Unmarked As Answer by Bin Hex Thursday, April 05, 2012 6:18 AM
-
Monday, April 02, 2012 1:50 AM
Hi Sachin,
I dont want to backup the entire AD...i am going to backup the AD objects(User,computer,groups,contact) in a particular OU...
Hi,
Active Directory is only aware about the SYSTEM STATE backup hence the backing up particular AD object is not sufficient and not possible. NTDS.DIT and SYSVOL folders are required and on domain controller backup option is a system state for AD.
Read this, SO WHAT'S A SYSTEMSTATE BACKUP ANYWAY? :
https://msmvps.com/blogs/bradley/archive/2005/05/08/46129.aspx
.
Backing up AD object is not possible. However, you could restore the particular deleted object using the Authorative Restore or using AD recycle bin feature (Windows Server 2008 R2 FFL is required).
Scenario Overview for Restoring Deleted Active Directory Objects:
http://technet.microsoft.com/en-us/library/dd379542(WS.10).aspx
Best Regards,
Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Abhijit WaikarMicrosoft Community Contributor Monday, April 02, 2012 6:06 AM
- Edited by Abhijit WaikarMicrosoft Community Contributor Monday, April 02, 2012 6:07 AM
- Proposed As Answer by Rick TanModerator Monday, April 02, 2012 7:00 AM
- Marked As Answer by Rick TanModerator Thursday, April 05, 2012 5:46 AM
- Unmarked As Answer by Bin Hex Thursday, April 05, 2012 6:18 AM
-
Monday, April 02, 2012 5:56 AM
You can not Perticualry take the backup of AD Objects.
You will have to take system state backup and then you can perform authorative restore to RESTORE Seleteced AD Objets(For eg - user accounts, computer accounts,OU Etc).
Authoritative Restore
Following are the components of system state backup. These are the minimum things a Successful backup should have. Without these you can not Perform restoration in AD.
- System Registry
- COM + Database
- Certificate Services
- Active Directory
- SysVol
- IIS Metabase
Refer below link to understand System state backup.
http://www.windowsitpro.com/article/dns/system-state-components
However you can use tools like LDP.exe and ADrestore.exe to restore deleted AD Objects in windows server 2003 or in windows server 2008 Domain controllers without taking the backup.
Note-To restore deleted AD Objects using LDP.exe or ADrestore.exe , AD Objects should be under their Tombstone life
AD Tombstone objects,
http://www.windowsitpro.com/article/windows-server-2003/ad-tombstone-objects
Using LDP.exe.
you are using LDP.exe tool to restore a deleted user object , you have to enable user account after restore using ldp.exe as deleted user account will be in disabled mode.
Adrestore.
Hope this helps.
Regards,
_Prashant_
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
-
Monday, April 02, 2012 6:30 AM
Have a look the below article.
http://social.technet.microsoft.com/wiki/contents/articles/how-to-manage-our-environment-ad-restoration-without-any-downtime-of-any-dc.aspx
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
-
Monday, April 02, 2012 11:45 AM
There is no way to specifically backup OU or only objects(users,groups,etc) you can use Systemstate backup to restore AD or objects or you can use third part backup application like symantec backup Exec,etc
Since you want backup AD and restore object you can backup systemstate using ntbackup(Win2003) or wbadmin(Win2008).The same can be used to restore the entire AD or individual object(users/computers/groups)etc.
SystemState Backup
http://technet.microsoft.com/en-us/library/cc787254(v=ws.10).aspx ....Win2003
http://technet.microsoft.com/en-us/library/cc753201.aspx ...Win2003
Authoritative /Non-Authoritative Restore in Windows2008
http://sandeshdubey.wordpress.com/2011/10/09/authoritative-non-authoritative-restore-in-windows2008/Authoritative /Non-Authoritative Restore in Windows2003
http://technet.microsoft.com/en-us/library/cc784922(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc779573(v=ws.10).aspx
Scenario Overview for Restoring Deleted Active Directory Objects
http://technet.microsoft.com/en-us/l ibrary/ dd3 79542(WS.1 0).aspx The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting
http://blogs.technet.com/b/askds/arc hive/2009/ 08/27/the- ad- recycle -bin-under standing-i mplementin g-best-pra ctices-and - troublesh ooting.asp x
Also ensure that you have atleast two DC with single DC you are always at risk.Officially system state backup is not supported on different hardware it is to be used on the same system or similar but seen scenario where it doesn't work on similar system also due to driver version difference.
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Monday, April 02, 2012 12:02 PMModerator
Active Directory uses a database for the storage of its objetcs. Similar to SQL Server, you can't pick and choose what objects you can restore to any point in time w/o keeping the entire DB with all of its metabase. So when you decide you want to protect your enterprise, you will need to backup ALL of the systemstate on your DC(s). The reason I point out two or more DC's is that, if you have a bad tape drive, or something else in the backup procedure is failing (And you are unaware) when you go the backup the recovery may not work as expected. So if you can afford to get backups from two seperate DC's that is best. You do have at least two DC's in your structure I hope. :-)
When it is time to do a restoration and you are only interested in a single object or several objects, you will need to do an authoritative restore. The way this is done is that you restore and entire Database from one of the backups you want to roll back to. Then you need to set objects within the restored database as authoritative, so that when you reconnect this restored database to your domain they all don't get overwritten by the most current objects within the domain by the other participating DC's.
http://technet.microsoft.com/en-us/library/cc779573(v=WS.10).aspx--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
- Edited by pbbergsMVP, Moderator Monday, April 02, 2012 12:02 PM
-
Monday, April 02, 2012 12:03 PM
Hello Everyone!
I completely agree with all of you that AD is backed up ONLY as part of the SYSTEM STATE backup, there is no argument. However in this thread as per the asker, he is developing a test AD backup/restore app/program thus wanted to know what are the important attributes/classes he should consider for his desing. This is the reason why I referred him to the links to the AD classes attributes list.
Once again AD only supports native system state backup/restore.
Thanks for your understanding!
Sachin Gadhave
-
Monday, April 02, 2012 12:07 PMModerator
Doesn't matter, he can't re-add a previously used GUID or SID, AD won't let him. There are specific api calls that will have to be followed, if he is able to ever get peices of this restored he runs the risk of USN rollback or worse.
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
-
Monday, April 02, 2012 1:04 PMModerator
Do you really need such app with the functionality you are looking for, because with windows 2008 R2 AD recycle bin (min prerequisite windows 2008 R2 FF) feature you can restore the deleted objects along with its membership(object has to be in TSL period) which was not possible with down level OS. You don't require even system state backup even, but yes the object has to fall in TSL(Tomstone lifetime) period.
Awinish Vishwakarma - MVP-DS
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Monday, April 02, 2012 1:48 PM
Doesn't matter, he can't re-add a previously used GUID or SID, AD won't let him. There are specific api calls that will have to be followed, if he is able to ever get peices of this restored he runs the risk of USN rollback or worse.
--
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com Twitter @pbbergs
http://blogs.dirteam.com/blogs/paulbergsonPlease no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.
I agree!
But why not let the guy try his luck :)
Sachin Gadhave
-
Monday, April 02, 2012 2:08 PM
Q.Bin Hex has mentioned If i want to restore the Deleted objects means i have to create a new object with same set of attributes except some unique properties... so SID& Guid will be different any way ...will it cause any issue?
It seems that Bin wanted to create new object with same set of attributes(without SID and guid) which is possible and this will definately not cause issue in AD.But the profile will change though the name is same.Regarding exchange point of view if the mailbox is not deleted the same can be linked to newly created userobject.
If he is trying to restore the object attribute from deleted object( from backup) to newly created object in AD this may be not possible to achieve.I think the best bet is to restore the object from backup instead of creating new account.
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Edited by Sandesh DubeyMicrosoft Community Contributor Monday, April 02, 2012 2:14 PM
- Edited by Sandesh DubeyMicrosoft Community Contributor Monday, April 02, 2012 2:14 PM
-
Monday, April 02, 2012 2:14 PM
As he developing the backup/restore application I would suggest repost in the MSDN forum.This forum is about development.
http://social.msdn.microsoft.com/Forums/en-US/categories/Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Thursday, April 05, 2012 6:33 AM
Hi Sandesh,
I repost this thread here http://social.msdn.microsoft.com/Forums/en-US/winserver2008appcompatabilityandcertification/thread/8891b79a-c3f5-4ce8-9ff8-1c17e4b17ac9
bin hex
.png)
