Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-03-08) Backup And Restore Of Active Directory

Posted by Jorge on 2006-03-08


The procedure to backup AD or DCs has always been (and as for now will always be) to use a VALID system state of a DC. However, times are changing and all kinds of new technologies and ideas are being used. Although I’m DO NOT promote the use of unsupported backup/restore mechanisms I’m going to mention a procedure here that allows you to use one of the unsupported methods. The main reason for this is that the information is publicaly available from Microsoft (Running Domain Controllers in Virtual Server 2005 – http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en) but it is INCOMPLETE and will people will hurt themselves if done incorrectly!

DISCLAIMER:

  • You are responsible on your own when using this procedure
  • This posting is provided "AS IS" with no warranties and confers no rights!
  • Always test before implementing/using tools/procedures!

 

BEST and SUPPORTED way for backup/restore of AD/DCs

  • Supported backup/restore mechanisms/tools
  • Using (at least) system state backups

More information:

 

FAST and UNSUPPORTED ways for backup/restore of AD/DCs

  • Disk images (cloning)
  • Virtual machine images
  • Breaking RAID 1 (mirroring) configurations

 

Dangers of NOT using supported AD aware backup/restore mechanisms

  • USN rollbacks in AD and in the SYSVOL
  • Inconsistent data in AD and in the SYSVOL
  • Effects:
    • Other DCs know more about a certain DC then the DC itself

Risk mitigation

  • Use ONLY SUPPORTED backup/restore mechanisms!!!
  • Follow instructions in "Running Domain Controllers in Virtual Server 2005"
  • Implement hotfixes: MS-KBQ885875 (W2K) & MS-KBQ875495 (W2K3) (also included in W2K3 SP1)

 

So let’s take a look at WHAT are USN rollbacks (in AD).

The following example environment where nothing is wrong.

image

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest…

image

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!! (everything is OK voor ROOTDC001, ROOTDC002 and CHLDDC001)

 

The following example environment where something IS wrong because a non- AD aware restore solution has been used

image

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest…

image

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!!. As you can see the ROOTDC001 and CHLDDC001 know more about ROOTDC002 than ROOTDC002 itself and THAT is wrong!

 

How to detect and recover from a USN rollback in Windows 2000 Server

How to detect and recover from a USN rollback in Windows Server 2003

 

So what do MS-KBQ885875/MS-KBQ875495 really do?

  • Detect USN rollbacks in AD, NOT in the SYSVOL
  • USN Rollback detection NOT guaranteed for 100%!!!
  • Pauses the NETLOGON service WHEN USN rollback in AD is detected!
  • Disables inbound and outbound AD replication (event ID 1113/1115), NOT SYSVOL replication,  WHEN USN rollback in AD is detected!
  • Logs event IDs 2095 and 2103 in the directory services event log
  • BOTH HOTFIXES also provide:
    • Supported recovery option that mimics a system state restore

 

That recovery option has the following requirements!

  • Hotfixes installed/implemented PRIOR to the failure
  • Use ONLY images WITHIN the “tombstone lifetime” timeframe
  • Use ONLY images that have NEVER been booted after creation (this is VERY IMPORTANT. If it has been booted into normal DC mode, it is useless and you need to start over!!!)
  • Make sure the SAME DC is NOT running elsewhere
  • Follow requirements and instructions mentioned in:
    • MS-KBQ885875 & MS-KBQ875495
    • "Running Domain Controllers in Virtual Server 2005"

Procedure for using the recovery option:

  • “Restore” the image
  • !!! Boot into DSRM !!! (not connected to the network)
  • Note the value of “DSA Previous Restore Count”
    (HKLMSystemCurrentControlSetServicesNTDSParameters) (Not visible? –> Assume value of 0)
  • Add the entry “Database restored from backup” (DWORD) with a value of 1
    (HKLMSystemCurrentControlSetServicesNTDSParameters) (This triggers the actions needed for AD right after a system state restore!)
  • Stop the “File Replication Service (NTFRS)” and assign the value “D4” (for auth. or primary restore) or “D2” (for an non-auth. restore) to the entry “BurFlags” in (HKLMCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup)
    (This triggers the actions needed for the SYSVOL right after a system state restore!) (and other replicated DFS namespaces!)
    (also see: Using the BurFlags registry key to reinitialize File Replication Service replica sets –
    http://support.microsoft.com/?id=290762)
  • Boot into normal DC mode (not connected to the network)
  • Check the value of “DSA Previous Restore Count”
    (HKLMSystemCurrentControlSetServicesNTDSParameters) (New value = old value + 1)
  • In the DS event log check for event ID 1109
  • In the FRS event log check for event ID 13565 & 13520 if a non-auth. restore was performed for the SYSVOL
  • In the FRS event log check for event ID 13566 if an auth. restore was performed for the SYSVOL
  • Connect to the network again
  • Check the health of the DC (AD & SYSVOL)
    • DCDIAG /D /C /V
    • NETDIAG /DEBUG /V
    • GPOTOOL.EXE /CHECKACL /VERBOSE
    • REPADMIN.EXE /SHOWUTDVEC <FQDN DC> <NC>
  • DONE!

 

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

6 Responses to “(2006-03-08) Backup And Restore Of Active Directory”

  1. Hello,

    Good article Jorge !
    Just a question. For the 2 cases (with or without USN rollbacks)you stated "For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!!. " but it seems not to be the case for CHILDDC001 where a repadmin /shoowutdvec shows a USN for itself(13694) < than ROOTDC01(15713) & DC2(13925) USNs. True ?

    Yann

  2. Jorge said

    Hi Yann, I think you are comparing the blue line with the dotted green and red line…. right?You should compare FOR EACH color, the values of the normal line with the dotted lines. Dotted lines should have lower values than the normal line (of the same color!) For a certain partition: (1) On a certain DC, what does the DC know about itself? (2) On other DCs, what do those DCs know about that certain DC? (2) should always be lower than (1) as a certain DC should ALWAYS know more or the same about itself than other DCs. Use both examples and see for yourself again. Do you agree?

  3. "I think you are comparing the blue line with the dotted green and red line…. right?" exactly !🙂

    I get it now Jorge testing in my own AD environnement !

    Sorry, I did not understand before since you explained me again.

    Thanks for clarification. Blog like yours is great ressource to decrypt the underground technology of AD🙂

    So just keep the good work !

    Yann

  4. c0d3r said

    pingback from https://petersblog.dyndns.org:8899/Lists/Posts/Post.aspx?ID=18

  5. […] Whatever technology you use, the pitfalls and issues are the same. An explanation to what can happen can also be found here: https://jorgequestforknowledge.wordpress.com/2006/03/08/backup-and-restore-of-active-directory-2/ […]

  6. […] –> Read: "Backup And Restore Of Active Directory" […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: