The procedure to backup AD or DCs has always been (and as for now will always be) to use a VALID system state of a DC. However, times are changing and all kinds of new technologies and ideas are being used. Although I'm DO NOT promote the use of unsupported backup/restore mechanisms I'm going to mention a procedure here that allows you to use one of the unsupported methods. The main reason for this is that the information is publicaly available from Microsoft (Running Domain Controllers in Virtual Server 2005 - http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en) but it is INCOMPLETE and will people will hurt themselves if done incorrectly!

DISCLAIMER:

  • You are responsible on your own when using this procedure
  • This posting is provided "AS IS" with no warranties and confers no rights!
  • Always test before implementing/using tools/procedures!

 

BEST and SUPPORTED way for backup/restore of AD/DCs

  • Supported backup/restore mechanisms/tools
  • Using (at least) system state backups

More information:

 

FAST and UNSUPPORTED ways for backup/restore of AD/DCs

  • Disk images (cloning)
  • Virtual machine images
  • Breaking RAID 1 (mirroring) configurations

 

Dangers of NOT using supported AD aware backup/restore mechanisms

  • USN rollbacks in AD and in the SYSVOL
  • Inconsistent data in AD and in the SYSVOL
  • Effects:
    • Other DCs know more about a certain DC then the DC itself

Risk mitigation

  • Use ONLY SUPPORTED backup/restore mechanisms!!!
  • Follow instructions in "Running Domain Controllers in Virtual Server 2005"
  • Implement hotfixes: MS-KBQ885875 (W2K) & MS-KBQ875495 (W2K3) (also included in W2K3 SP1)

 

So let's take a look at WHAT are USN rollbacks (in AD).

The following example environment where nothing is wrong.

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest...

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!! (everything is OK voor ROOTDC001, ROOTDC002 and CHLDDC001)

 

The following example environment where something IS wrong because a non- AD aware restore solution has been used

 

Now lets have a look at the up-to-dateness vector of ALL DCs in the forest on each DC in the forest...

For each DC with its own color the dotted lines should ALWAYS have the same value or lower than the normal line!!!. As you can see the ROOTDC001 and CHLDDC001 know more about ROOTDC002 than ROOTDC002 itself and THAT is wrong!

 

How to detect and recover from a USN rollback in Windows 2000 Server

How to detect and recover from a USN rollback in Windows Server 2003

 

So what do MS-KBQ885875/MS-KBQ875495 really do?

  • Detect USN rollbacks in AD, NOT in the SYSVOL
  • USN Rollback detection NOT guaranteed for 100%!!!
  • Pauses the NETLOGON service WHEN USN rollback in AD is detected!
  • Disables inbound and outbound AD replication (event ID 1113/1115), NOT SYSVOL replication,  WHEN USN rollback in AD is detected!
  • Logs event IDs 2095 and 2103 in the directory services event log
  • BOTH HOTFIXES also provide:
    • Supported recovery option that mimics a system state restore

 

That recovery option has the following requirements!

  • Hotfixes installed/implemented PRIOR to the failure
  • Use ONLY images WITHIN the “tombstone lifetime” timeframe
  • Use ONLY images that have NEVER been booted after creation (this is VERY IMPORTANT. If it has been booted into normal DC mode, it is useless and you need to start over!!!)
  • Make sure the SAME DC is NOT running elsewhere
  • Follow requirements and instructions mentioned in:
    • MS-KBQ885875 & MS-KBQ875495
    • "Running Domain Controllers in Virtual Server 2005"

Procedure for using the recovery option:

  • “Restore” the image
  • !!! Boot into DSRM !!! (not connected to the network)
  • Note the value of “DSA Previous Restore Count”
    (HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (Not visible? --> Assume value of 0)
  • Add the entry “Database restored from backup” (DWORD) with a value of 1
    (HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (This triggers the actions needed for AD right after a system state restore!)
  • Stop the “File Replication Service (NTFRS)” and assign the value “D4” (for auth. or primary restore) or “D2” (for an non-auth. restore) to the entry “BurFlags” in (HKLM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup)
    (This triggers the actions needed for the SYSVOL right after a system state restore!) (and other replicated DFS namespaces!)
    (also see: Using the BurFlags registry key to reinitialize File Replication Service replica sets - http://support.microsoft.com/?id=290762)
  • Boot into normal DC mode (not connected to the network)
  • Check the value of “DSA Previous Restore Count”
    (HKLM\System\CurrentControlSet\Services\NTDS\Parameters) (New value = old value + 1)
  • In the DS event log check for event ID 1109
  • In the FRS event log check for event ID 13565 & 13520 if a non-auth. restore was performed for the SYSVOL
  • In the FRS event log check for event ID 13566 if an auth. restore was performed for the SYSVOL
  • Connect to the network again
  • Check the health of the DC (AD & SYSVOL)
    • DCDIAG /D /C /V
    • NETDIAG /DEBUG /V
    • GPOTOOL.EXE /CHECKACL /VERBOSE
    • REPADMIN.EXE /SHOWUTDVEC <FQDN DC> <NC>
  • DONE!