VMware Cloud Community
vmproteau
Enthusiast
Enthusiast
Jump to solution

Backing up Windows Domain Controllers with VCB and VSS

With the new VSS support in 3.5 update 2 and VCB 1.5, I am looking into backing up my Domain Controllers with VCB. There have been positive results that claim you could DR a DC with a simple restore. See this WhitePapaer

I plan to test and expect success but, I'm concerned with supportability. The only document from Microsoft I see is from 2006 and in it it states snapshot restores are unsupported but goes on to explain reasons why that do not take VSS into account (see below). Does anyone know if there is a newer policy statement regarding supportability of DCs and snapshot backups with VSS?

Active Directory does not support other methods to roll back the contents of Active Directory. In particular, Active Directory does not support any method that restores a snapshot of the operating system or the volume the operating system resides on. This kind of method causes an update sequence number (USN) rollback. When a USN rollback occurs, the replication partners of the incorrectly restored domain controller may have inconsistent objects in their Active Directory databases. In this situation, you cannot make these objects consistent.

Reply
0 Kudos
1 Solution

Accepted Solutions
Gostev
Enthusiast
Enthusiast
Jump to solution

Hello vmproteau, thank you for mentioning my white paper.

One thing I noted during the testing of VMware ESX3.5 U2 VSS functionality, is that the domain controller did not start up in the recovery mode during the first boot. According to Microsoft documentation however, when performing a VSS-integrated domain controller restore, the system must be rebooted in Directory Services Restore mode when Active Directory is running on the server. To my understanding, booting in the DS restore mode is required so that the NTDS.DIT file is not locked with Active Directory services when the restore is performed. So I do not know whether or not ESX3.5 U2 VSS domain controller restore approach will be supported by Microsoft.

In contrast with this, our product (Veeam Backup) has the custom-tailored restore logic implemented for those Microsoft applications which require special restore steps to be made (Domain Controllers, Exchange servers). So in case of a domain controller, when restoring a DC backup you will actually see your DC booting in the Directory Services Restore mode first to perform the necessary restore steps while booted in this mode, then the DC would automatically reboot and start up normally.

I have published this follow up blog post with some videos of testing different backup and restore approaches for a DC running in virtual machine - essentially the same test that you are planning to perform. There, you can also find the video showing Veeam Backup DC restore process if you are interested.

Hope this helps!

View solution in original post

Reply
0 Kudos
8 Replies
Gostev
Enthusiast
Enthusiast
Jump to solution

Hello vmproteau, thank you for mentioning my white paper.

One thing I noted during the testing of VMware ESX3.5 U2 VSS functionality, is that the domain controller did not start up in the recovery mode during the first boot. According to Microsoft documentation however, when performing a VSS-integrated domain controller restore, the system must be rebooted in Directory Services Restore mode when Active Directory is running on the server. To my understanding, booting in the DS restore mode is required so that the NTDS.DIT file is not locked with Active Directory services when the restore is performed. So I do not know whether or not ESX3.5 U2 VSS domain controller restore approach will be supported by Microsoft.

In contrast with this, our product (Veeam Backup) has the custom-tailored restore logic implemented for those Microsoft applications which require special restore steps to be made (Domain Controllers, Exchange servers). So in case of a domain controller, when restoring a DC backup you will actually see your DC booting in the Directory Services Restore mode first to perform the necessary restore steps while booted in this mode, then the DC would automatically reboot and start up normally.

I have published this follow up blog post with some videos of testing different backup and restore approaches for a DC running in virtual machine - essentially the same test that you are planning to perform. There, you can also find the video showing Veeam Backup DC restore process if you are interested.

Hope this helps!

Reply
0 Kudos
cca
Contributor
Contributor
Jump to solution

Hi

What about Windows 2000 as Domain Controller plus ESX 3.5 update 3 and VCB 1.5? Is there any way to script a shutdownVCBstart the server? If positive, in the case I have a crash can I restore my VCB copy of the Domain Controller and power this virtual machine on without any other procedure? I have other 6 DCs in my network.

Thanks

CCA

Reply
0 Kudos
jguidroz
Hot Shot
Hot Shot
Jump to solution

I do not have the current VCB 1.5 installed yet, but I do use VCB to backup my domain controllers. In the pre-freeze script, I run a system state backup of my DC and dump it to the local drive before taking a snapshot and doing full image backup of that disk. I hope to move away from this when I upgrade to VCB 1.5.

Reply
0 Kudos
cca
Contributor
Contributor
Jump to solution

Hi

Are your DCs Win 2000 or 2003 based?

CCA

Reply
0 Kudos
jguidroz
Hot Shot
Hot Shot
Jump to solution

2003, but the system state backup should work for 2000 DCs as well.

Reply
0 Kudos
cca
Contributor
Contributor
Jump to solution

Thanks

You had a good idea!

Supose my VM crashed and I should restore it, how would be the procedure to return this VM? Should I restore the filespower on VM in a isolated network in AD restore modeexecute the Microsoft AD restore procedure?

Thank you

CCA

Reply
0 Kudos
jguidroz
Hot Shot
Hot Shot
Jump to solution

Yes. You would boot to the Directory Services Restore Mode and then restore the system state backup that was taken.

http://support.microsoft.com/kb/240363

Reply
0 Kudos
cca
Contributor
Contributor
Jump to solution

Thank you very much

CCA

Reply
0 Kudos