Copyright © Acronis, Inc., 2000-2009
5
•
Make sure that the Active Directory database folder is included into the backup. The easiest way
to do this is to create a full image backup of your system drive, and drives where AD database
and transaction logs are located.
•
Make sure that files making up the AD database (.dit, .chk, .log files) are not in the exclusion list.
•
Make sure that the Create snapshots using VSS option is selected for the backup.
4.
Active Directory recovery
As mentioned above, the AD recovery would differ, depending on what type of recovery is required.
Moreover, in some cases you even don’t need to touch your domain controller backup – all the
information required for the recovery is already available.
In order to cover major AD recovery scenarios, let’s consider the following disaster scenarios:
•
Domain controller is lost, other domain controllers are available.
•
All domain controllers are lost (or there was only one).
•
Active Directory database is corrupted and AD service doesn’t start.
•
Certain information is accidentally deleted from the Active Directory.
4.1.
Domain Controller restore (other DCs are available)
When one of the domain controllers is lost, the AD service is still available. Therefore, other domain
controllers will contain data which is more up-to-date than the data in the backup. For example, if a
user account has been created in the AD after the backup was taken, the backup won’t contain this
account.
Thus, we want to perform a recovery which will not affect the current state of the Active Directory –
this operation is called nonauthoritative restore.
Active Directory records are constantly replicated between the domain controllers. At any given
moment, the same record may contain a certain value on one domain controller, and a different
value on another. To prevent conflicts and loss of information, AD uses incrementing versions (called
Update Sequence Number – USN) attached to every AD object. USNs are used to determine the
direction of replication – records with greatest USN are considered as most up-to-date, and
replicated to other servers.
During nonauthoritative restore, the AD is restored from the database with the original USN stored in
the backup.
Live domain controllers cannot have AD records with a USN that is smaller than the one contained in
the backup – since a USN is always increasing in value. Thus, the AD records from the backup have
little value during such restore – more up-to-date records from other domain controllers will
overwrite them during the replication.
Moreover, it is not mandatory to restore AD in this recovery scenario at all. To restore the domain
controller functionality, it is sufficient to re-create the domain controller itself (using the
dcpromo.exe tool). Once replication completes, the domain controller will be up and running again.
To summarize, the following steps should be completed in order to restore a domain controller when
other DCs are available: