Hey folks,
I built two windows 2008 R2 servers as domain controllers from scratch.
I am now trying to determine the best methods to create backups of these two VM's for DR purposes.
I know that domain controllers are a bit tricky when they are virtual machines so I want to reach out to see how others are handling backups of the VMs.
Right now I am powering down one domain controller at a time and then using vCenter to perform a clone of it. I repeat this process for the other domain controller.
In the event of a OS failure of one of the domain controllers the plan would be to power on one of the clones. Does that sound reasonable? We refresh the clones every month. We haven't tested this method because I am a bit gunshy of damaging the AD structure.
We recently purchased Veeam for backups of VM's but haven't implemented it yet. Next steps are to test that out too.
How do you all "clone" or make copies of your domain controller VMs?
I am also doing a full AD backup with the microsoft tools just incase, but I would love to just be able to turn on a clone and be up and running if something blows up.
I am also thinking where is the best place to store all the backup files if you have a couple of TB worth of applications, programs and files? Any suggestions?
Have you seen this doc?
http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf
-KjB
Yes I've read that document.
Unfortunately that document does say you can (or can't) do a clone of a DC VM.
I have read other KB's that discuss turning a physical machine into a VM that is acting as a domain controller, this is not a best practice. This is also why we built the DC's as fresh VM's.
Question really is, if I am doing a clone of an existing VM that is a DC, is there an issue with the clone? Hardware SIDS wont change ect..
Hi,
so far i know, the only supportet backup from a active directory is backup your systemstate or use certified 3 party tools like quest ad backup or blackbird.
Normaly, you are fine with backup the systemstate. Because install a new ad controller isn´t that complicated and do not take so much time.
In most cases, you only have to see where your fsmo roles are running and transfer them.
For more information:
http://technet.microsoft.com/en-us/library/cc771290%28v=ws.10%29.aspx
fsmo roles:
http://www.petri.co.il/transferring_fsmo_roles.htm
Frank
Thanks Frank, that is our "backup to our backup" plan. We have full "NTbackups (though they arent called that 2008 anymore" of our AD's just incase.
Maybe I will just test out the clones in an isolated lab to see what happens. Just wanted to see if anyone out there had tried this other method of clones.
If you are using clones, then for most of the time, the clone will be ok if you start using it immediately, and the source host is not on the network. Customization is not supported, so you can't create a new domain controller from an existing one. And if you start using it immediately, then you don't have inconsistency or replication problems, but they can be introduced which is why clones aren't typically best practice.
-KjB