none
Taking an image of a DC in a linux kernel (not hot from within OS) RRS feed

  • Question

  • Hi,

    I use software like Clonezilla on a dedicated Hyper-V server (also running as a DC), which, when I choose to, reboots the machine and loads a linux kernel and takes an image of the disk which is saved on another server.

    This is not a hot backup which happens within the OS with all the servies etc running. Is the above practise harmful to a DC?

     

    Thanks

    Friday, June 10, 2011 3:11 PM

Answers

All replies

  • Hello,

    I have not understood well what you are trying to perform.

    Note that running a DC as a VM is not recommended for performance reasons.

    For backup of a DC, you have to use an AD aware backup. More here: http://technet.microsoft.com/en-us/library/bb727048.aspx

    Note that it is not recommended to run applications on a DC.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Friday, June 10, 2011 3:16 PM
  • I not familiar with that third-party backup program but it sounds like a “snapshot”

    Active Directory does not support other methods to roll back the contents of Active Directory. In particular, Active Directory does not support any method that restores a "snapshot" of the operating system or the disk volume the operating system resides on. This kind of method causes a rollback in the update sequence number (USN) used to track changes in Active Directory. When a USN rollback occurs, the contents of the Active Directory databases on the improperly restored domain controller and its replication partners may be permanently inconsistent.

    You can read more info on the following article:

    http://support.microsoft.com/kb/888794


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, June 10, 2011 3:18 PM
    Moderator
  • Hi,

     

    The AD role is on the physical server (on Server Core). The only other role is Hyper-V on this server.

    I'm aware you have to use AD-aware backup (like Windows Server Backup). However, I think this does not apply as I am taking an image not from within the server's OS?

    Also, why is not recommended to run applications on a DC? In my case, if it is performance, this does not matter as there is enough memory etc.

    Friday, June 10, 2011 3:20 PM
  • Use of images is not supported for DCs. You have to use and AD-aware backup.

    It is not recommended to run applications on a DC for performance reasons and to reduce its troubleshooting complexity.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    • Edited by Mr XMVP Friday, June 10, 2011 3:50 PM add info
    Friday, June 10, 2011 3:23 PM
  • DC is used for handling authentication & authorization for domain users & if something goes wrong  to it or there is any wrong changes it can break authentication & authorization for all the domain user. The authentication required for file access/printer access/application access etc.DC authenticates users & serves lot of request for authorization for users as well as for computers, being so loaded, it would not be feasible to install any other roles or application apart from DNS/GC. Domain controller are something treated as sensitive & should be kept away from normal users for security reasons.

    Backup/Restore consideration for DC

    http://support.microsoft.com/kb/888794

    http://msdn.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe%28v=WS.10%29#backup_and_restore_considerations_for_virtualized_domain_controllers

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, June 10, 2011 3:37 PM
    Moderator
  • Hi,

    I'm on a small environment used by only me for development (AD/Hyper-V server with 3 VMs).

    I was unde the impression that the approach above would work as the image is not taken from within the Windows OS.

    If not, I will do the standard system state backup/restore. Can I restore over an existing AD? For example, I backup the system state, turn the server off, turn it on again , AD/DNS etc is all there and I restore the latest system state backup.

    Friday, June 10, 2011 3:56 PM
  • You can host a DC on a virtualized environment. Please review the following article:

    http://support.microsoft.com/kb/888794

     As I mentioned earlier, restoring a DC from image or snapshot is supported due to USN issues.


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, June 10, 2011 4:17 PM
    Moderator
  • Yes, you can restore the system state backup w/o any issue & this what is standard recommended by MS. No to imaging/snapshot/cloning of DC.

    AD DS Backup and Recovery Step-by-Step Guide

    http://technet.microsoft.com/en-us/library/cc771290%28WS.10%29.aspx

    http://www.trainsignaltraining.com/backup-and-restore-active-directory-on-windows-server-2008

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, June 11, 2011 6:16 AM
    Moderator
  • Just to re-iterate, I read on Technet here that snapshot imaging is not recommended for DCs. In fact, last year I brought software which can do proper AD-aware backups and uses VSS.

    I thought the approach above would work ok because the snapshot is taken from a loaded linux kernel and not within the OS with the services etc running and the OS in memory. If that's still a problem, I will play it safe.

    I need to do this because my hosting provider provides ded. servers on the cloud and I can cancel the server by writing a disk image and then re-provision the image to a ded. server. So to ensure everything is saved correctly, I will backup system state prior to cancelling the server and then restoring when provisioning the server. I was wondering if a system state backup can overwrite an existing system state on the OS.

    Technet has and always will be a powerful resource for education on AD.

    Thanks

    Saturday, June 11, 2011 10:54 AM
  • Yes, because AD is MS concept.

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, June 12, 2011 4:08 AM
    Moderator
  • Hello,

    it doesn't mater on which level you make an image/snapshot. The AD database still is locked on that time and the USN rollback will occur if you use this way of backup, more details about:

    http://technet.microsoft.com/en-us/library/dd348479(WS.10).aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, June 14, 2011 6:21 AM