Backup Exec System Recovery 7.0 Best Practices

(1)

Backup Exec System Recovery

7.0 Best Practices

Windows 2000/2003 Server and Active Directory Domain Controllers

Updated By:

Bill Felt

Authored By: Aimee Barborka

NOTE: As Symantec products evolve, some

(2)

2

Symantec Support Statement

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3 Backup Exec System Recovery (BESR) Supports Windows 2003 Active

Directory Domain Controllers

Introduction

Misunderstandings can hurt business by causing customers to unnecessarily abandon best practices and valid business solutions. Contrary to the tenor of the subsequent statement by Microsoft, Symantec Backup Exec™ System Recovery (BESR) does work with Windows 2003 Active Directory Domain Controllers.

Microsoft’s Message

“Microsoft does not support any other process that takes a snapshot of the elements of an Active Directory domain controller’s system state and copies elements of that system state to an operating system image. Unless an administrator intervenes, such processes cause a USN rollback causes the direct and transitive replication partners of an incorrectly restored domain controller to have inconsistent objects in their Active Directory databases.

Note: Such software includes but is not limited to Norton Ghost.” Microsoft KB875495 http://support.microsoft.com/kb/875495/en-us

This could be misunderstood to mean that Microsoft does not support any snapshot technology with Windows 2003 and Active Directory domain controllers. Examining the minor points of the USN rollback KB will reveal what actually is being stated:

• The message speaks to a Symantec consumer product being used with a Microsoft enterprise server product, specifically, Norton Ghost which by default can not be installed on a Windows 2003 server.

• If the above KB were viewed as a blanket statement for all Symantec backup products, it would seem to be in conflict with Microsoft’s own recommended backup and restore solutions

(contrast KB8754795 with Best Practices for Using Volume Shadow Copy Service with Exchange Server 2003).

Symantec’s Message

Backup Exec System Recovery works within the Microsoft Best Practices model to backup and recover Windows 2003 servers, including Active Directory Domain Controllers.

Consumer products such as Norton Save and Restore and Norton Ghost should not be used to back up and restore servers, or be a substitute for an enterprise backup solution. Further:

(3)

3

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

• BESR follows Microsoft’s recommendations for backing up and restoring Active Directory Domain Controllers.

• BESR works in a tree and network forest environment for backing up and restoring Active Directory servers.

Below is a more detailed look at Microsoft’s supported backup and restoration types and methods.

Microsoft’s Best Practices

“Microsoft supports the following solutions for backing up and restoring Active Directory and Exchange Servers:

Supported Backup and Restore Types

Full Backup Use the full backup type for Active Directory Domain Controller and Exchange Server deployments. This backup type performs a backup of all the databases, transaction log files, and checkpoint files in a storage group, and after the backup is complete, truncates the log files.

Copy Backup A copy backup performs the same steps as a full backup, but it does not truncate the transaction log files. You can use a copy backup to create a copy of the database for testing or analysis purposes.

Incremental Backup You must be running Server 2003 with Service Pack 1 (SP1) or a later version to use an incremental backup type. The incremental backup backs up the transaction logs to record changes that occurred since the last incremental or full backup, and then truncates the transaction logs. To restore from an incremental backup, you must first restore the last full backup, and then restore all the

incremental backups.

Differential Backup A differential backup type requires Exchange Server 2003 with SP1 or later. A differential backup backs up the transaction logs to record changes that occurred since the last full backup, and does not truncate the transaction logs. To restore from a differential backup, you must first restore the last full backup, and then the most current differential backup. The differential backup can give you a faster backup window, at the expense of capacity and restore time.

Supported Backup and Restore Methods

• Legacy Streaming Backup: This method is used for Windows 2000 Server environments. • Legacy Streaming Restore: This method is used for Windows 2000 Server environments. • Volume Shadow Copy Service (VSS):

o VSS Backup Use a full, copy, differential, or incremental backup type for the

entire server or single storage group.

o VSS Recovery occurs in one of two ways:

Roll-forward Recovery: A roll-forward recovery is a recovery to the

(4)

4

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

Point-in-time Recovery: A point-in-time recovery is a recovery only of

the data in the last backup.” From Microsoft Tech Net: Database Backup and Restore

Symantec’s BESR is Volume Shadow Copy Service (VSS) Aware

Below is a closer examination of how BESR adheres to Microsoft’s best practices through its utilization of VSS functionality.

Microsoft’s Best Practices state the following:

“A provider can execute shadow copy requests in many different ways. Although the Exchange writer is not aware of how the provider is creating a shadow copy, make sure that you understand how the provider for your solution works so that you can plan for performance and capacity. Although no industry-standard definition or naming convention for shadow copy backup methods exists, the large majority of backup methods can be broadly categorized as either clone shadow copies or snapshot shadow copies. VSS is a set of COM APIs that implements a framework that enables enabling volume backups to be performed while a system’s applications on a system continue to write to the volumes. Requestors, writers, and providers communicate in the VSS framework to create and restore volume shadow copies. A shadow copy of a volume duplicates all the data held on that volume at one well-defined instant in time.

Windows Backup does not support application-specific writers. Therefore, to perform Exchange-aware VSS backups, organizations must use non-Microsoft backup applications. A non-Microsoft backup application might implement an integrated requestor and provider, or it might implement a requestor that can interact with multiple providers.”

From Microsoft Tech Net: Best Practices for Using Volume Shadow Copy Service with Exchange Server 2003

BESR is a VSS-aware solution and utilizes VSS API’s providing the benefit of faster backups and the ability to back up and restore larger amounts of data in a typical backup window than can be accomplished with a traditional streaming online backup solution.

How BESR Works With VSS

There are three communicators in a VSS framework: Requestor, Writer, and VSS Service.

BESR is the requestor. It controls backup and restore processes and instructs the writer to prepare a dataset for backup. When all is ready, a requestor instructs the creation of a snapshot. When the backup is complete, the requestor (BESR) instructs the writer to continue with the function.

A valuable VSS command is: vssadmin list writers. This command lists the subscribed volume shadow copy writers.

(5)

5

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

that normal function can be resumed. The writer then typically sends out the command, which truncates any transaction logs (if needed) and resumes.

BESR Recommendations

Successful backup and recovery operations with BESR can be ensured with attention to detail. The following are recommendations to help ensure success:

• The Domain Controller backup image or recovery point cannot be older than the Tombstone

Lifetime (the number of days before a deleted object is removed from the directory services).

This assists in removing objects from replicated servers and preventing restores from reintroducing a deleted object. This value is stored in the Directory Service object in the configuration NIC. For Windows Server 2000 and 2003, the default Tombstone Lifetime is 60 days. Active Domain images should be taken frequently (more than once a month).

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_tombstonelifetime.asp • The backup image or recovery point of a Domain Controller cannot be older than two times the

maximum machine account password age. A maximum password age determines the number

of days a password can be used before the system requires it to be changed. By default, this setting is defined in the Default Domain Group Policy Object (GPO) and in the local security policy of workstations and servers with a value of 30.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/501.asp also see KB 175468

• Newly-promoted Domain Controllers use a default machine account for the first few hours

while they establish a valid unique machine account. Allow the Active Directory Domain Controller to run for at least 24 hours prior to taking the first backup image or recovery point to ensure the machine account has been properly established.

• Check a newly-promoted or a restored Domain Controller for consistency before creating the

first backup. Symantec support can provide more information on performing this check.

• An image or recovery point of all the active disk volumes on a Domain Controller must be

created and restored at the same time to preserve the synchronization of the Domain Controller’s data. To do so, select all the Domain Controller’s volumes when creating the backup schedule job.

• In a server forest environment, when restoring a tree or the entire forest be sure to restore from

the top down to maintain domain integrity.

• When performing a legacy backup and restore (Windows 2000 Server) utilize the integration of

(6)

6

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

Windows 2003 Active Directory Domain Controllers and Restore Anyware A Domain Controller running on Windows Server 2003 with VSS (Volume Shadow Services) enabled can be backed up and restored to dissimilar hardware using Backup Exec System Recovery. Backup Exec System Recovery interacts with the VSS service to prepare the domain controller and the Active Directory database to be backed up. Running with VSS disabled is not supported and will cause Domain Controller failures upon restoration.

Microsoft specifically states that there are two methods for an Active Directory aware application to backup a domain controller:

1. Use the legacy API’s (i.e. Ntbackup)

2. Use the VSS API’s to flag the active directory as a backup copy, causing it to request a new invocation ID upon restoration

BESR uses method two for Windows Server 2003 with VSS.

http://support.microsoft.com/kb/875495/en-us

Backup Exec System Recovery (BESR) Supports Windows 2000 Active

Directory Domain Controllers

Introduction

Symantec Backup Exec System Recovery (BESR) supports backing up and restoring Windows 2000 Active Directory Domain Controllers. This document describes best practices and procedures for preparing an Active Directory database to be backed up using BESR, and proper procedures after the backup has been restored to ensure the domain controller is healthy.

Microsoft specifically states that there are two methods for an Active Directory aware application to backup a domain controller:

1. Use the legacy API’s (i.e. Ntbackup)

2. Use the VSS API’s to flag the active directory as a backup copy, causing it to request a new invocation ID upon restoration

We recommend using method one when using Backup Exec System Recovery to backup a Windows 2000 Active Directory Domain Controller, as Windows 2000 is not VSS-aware.

Windows 2000 Active Directory Domain Controllers and Restore Anyware Backup Exec System Recovery version 7.0 now fully supports using the Restore Anywhere feature on Windows 2000 Active Directory domain controllers. Additional features have been added to Backup Exec System Recovery 7.0 to support the Restore Anywhere feature on Windows 2000 Active Directory domain controllers. These new features, along with some additional steps that this document will outline, allow us to correctly restore a Windows 2000 Active Directory domain controller to dissimilar hardware

(7)

7

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

For instructions on restoring an image of a Windows 2000 Active Directory domain controller to a hardware configuration that is different than the configuration from which the recovery point was

generated, please see the section below titled “Restoring a Windows 2000 Domain Controller to Dissimilar Hardware”.

Imaging a Windows 2000 Server Active Directory Domain Controller When imaging a Windows 2000 domain controller, it is important that the backup data for all Active Directory volumes be captured from the same moment in time. This is the default snapshot behavior for Backup Exec System Recovery, as long as all Active Directory volumes are included in the backup job. In the “Drives” section of configure jobs wizard, be sure to select all Active Directory volumes.

When creating a backup job for the Windows 2000 Active Directory Domain Controller, keep in mind that under Windows 2000, the Active Directory database (and other system state objects) should be backed up by Microsoft’s Ntbackup tool before the backup is created. To do this within a BESR backup job, create a batch file to run Ntbackup at the beginning of the backup operation. For example, the batch file might be called ntbackup.bat. Place the batch file in the command files directory, which by default is

“C:\Program Files\Symantec\Backup Exec System Recovery\Agent\CommandFiles”. The batch file should contain the following line:

ntbackup backup systemstate /f c:\systemstate.bkf

At the “Command Files” section of the backup job wizard, select the batch file you created (for example, ntbackup.bat) to execute the Ntbackup process in the “Before data capture” field, which designates the batch file to run before the volume snapshots are taken.

(8)

8

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

The Backup Exec System Recovery job will now backup your Active Directory Domain Controller, having properly prepared the Active Directory database and other system state objects.

Restoring a Windows 2000 Active Directory Domain Controller

To restore a backup of a Windows 2000 Active Directory Domain Controller created with Backup Exec System Recovery, start by restoring each volume from their corresponding image files (as noted earlier, when multiple volumes are included in a backup job, each is stored in a separate image file) from the Symantec Recovery Disk (SRD). No special steps need to be taken during this portion of the restore. If you have questions on how to do this, consult your Backup Exec System Recovery documentation. N

Noonn--AAuutthhoorriittaattiivveeRReessttoorreeooffaannAAccttiivveeDDiirreeccttoorryyDDoommaaiinnCCoonnttrroolllleerr

After the images of the volumes have been restored, a non-authoritative restoration of the Active Directory database and other system state objects needs to be run before booting the server into normal mode. To do a “non-authoritative restoration” of an Active Directory Domain Controller’s system state, perform the following steps in each volume being restored that contains Active Directory.

1. Reboot the system into Directory Services Restore Mode by pressing the F8 key upon system startup and selecting “Directory Services Restore Mode”.

2. Log in as Administrator (local system account, no domain selection is available).

3. Plug and Play may detect new devices during this process. Cancel as each device is found. 4. To apply the backed up system state to the server, perform the following steps:

(9)

9

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

b. Start the “Restore Wizard” and click the Import File button.

c. Select the system state backup file (c:\systemstate.bkf) and click OK. d. Select the ”System State” under “What to Restore", and then click Next. e. Click Finish to restore the system state.

f. Once completed a report dialog is displayed; click Close and reboot the server.

The domain controller may now reboot into normal mode. The domain controller should connect back to the domain and Active Directory should be operating correctly.

R

ReessttoorriinnggtthheeFFoorreessttRRoooottDDoommaaiinnCCoonnttrroolllleerr

In special cases, it may be necessary to restore an entire domain. This requires that the forest root domain controller be restored first. After the images of the volumes have been restored, you can restore the forest root domain controller by performing the following steps:

3. Plug and Play may detect new devices during this process. Cancel as each device is found. 4. A prompt to reboot may appear. Do not reboot at this time.

5. Perform the following steps:

a. Select Start > Programs > Accessories > System Tools > Backup b. Select the “Restore” tab

c. Drill-down until you see the option to select “System State” and select it. d. At the bottom right of the window, select “Start Restore”.

e. In the confirm restore dialogue, select “Advanced”.

f. Select the option “When restoring replicated data sets, mark the restore data as primary

for all replicas”.

g. Select “Okay” and restore the system state. The domain controller may now be rebooted into normal mode.

(10)

10

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

Note: The steps below describe performing a non-authoritative restore of a Windows 2000 domain controller using Restore Anyware. If the server in question is the forest root domain controller and the entire domain is down (or if the entire domain is being migrated), please reference the steps in the previous section for restoring the forest root domain controller.

N

Noonn--AAuutthhoorriittaattiivveeRReessttoorreeooffaannAAccttiivveeDDiirreeccttoorryyDDoommaaiinnCCoonnttrroolllleerrttooDDiissssiimmiillaarrHHaarrddwwaarree After the images of the volumes have been restored, a non-authoritative restoration of the Active Directory database and other system state objects needs to be run before booting the server into normal mode. To do a “non-authoritative restoration” of an Active Directory Domain Controller’s system state, perform the following steps in each volume being restored that contains Active Directory.

3. Plug and Play may detect new devices during this process. Cancel as each device is found. 4. To apply the backed up system state to the server, perform the following steps:

g. Open the Ntbackup graphical user interface (Start > Run > ntbackup). h. Start the “Restore Wizard” and click the Import File button.

i. Select the system state backup file (c:\systemstate.bkf) and click OK. j. Select the ”System State” under “What to Restore", and then click Next. k. Click Finish to restore the system state.

l. Once completed a report dialog is displayed; click Close. 5. Run a necessary cleanup batch file by doing the following:

a. Reboot the server using Symantec Recovery Disk CD.

b. Open a command shell window (click the “Analyze” tab, then choose “Open Command Shell Window”).

c. At the command window prompt, change to the drive that represents the Windows system volume (usually C:\).

d. At the root of the drive, type the following: insertbootfiles.bat

e. Remove the Symantec Recovery Disk CD and reboot the server.

6. Once the server has rebooted into normal mode, allow plug-n-play services to install all

appropriate device drivers. In most cases, the reboot required to finish driver installation can be postponed until the entire plug-n-play process has finished. Network and mass storage

controller drivers may be found in the C:\Drivers directory.

(11)

11

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

b. Type the following command and then press Enter: set devmgr_show_nonpresent_devices=1 c. Type the following command and then press Enter:

start devmgmt.msc

d. At the Device Manager window, from the top menu click View > Show hidden devices. e. In the Device Manager tree view, expand Network Adapters.

f. Right-click any grayed-out network adapters and choose Uninstall.

g. Device Manager and any open command shell windows may now be closed. 8. Restore original network adapter configuration by doing the following:

a. Open a new command shell window and navigate to the root of the Windows system volume (usually C:\).

b. Type the following command and press enter (note that this command does not execute the specified batch file, but only displays the contents of the batch file to screen): type ranicsettings.bat

c. Make note of the network connection name listed in the batch file.

d. Open the Windows dialogue for Network Connections by selecting Start > Settings >

Network Connections > Open.

e. Right-click the active network connection and select Rename. Rename the connection to match the network connection name noted in step 8c above.

f. Disable any inactive network connections and then close the Network Connections window.

g. At the command shell window opened in step 8a, type the following command (we are now executing the batch file):

ranicsettings.bat

9. Remove unneeded default DNS entries by doing the following:

a. Open the Windows dialogue for Network Connections by selecting Start > Settings >

Network Connections > Open.

b. Select the active network connection and press Enter.

c. Select Internet Protocol (TCP/IP) > Properties > Advanced > DNS.

(12)

12

B

E

S

R

w

it

h

A

c

ti

v

e

D

ir

e

c

to

ry

o

n

W

in

d

o

w

s

S

e

rv

e

r

2

0

0 a

n

d

2

0

3

10. The server may now be rebooted into normal mode.

It is recommended that the Windows 2000 domain controller be allowed to run for 24 hours in order to allow replication and other domain services to sync properly.

Summary

This review reveals the true message within Microsoft's Best Practices publications and shows that Symantec Backup Exec™ System Recovery is a valid solution for the backup and recovery of Windows 2003 and Windows 2000 Active Directory Domain Controllers.

BESR follows the best practices and recommended procedures as referenced from Microsoft Knowledge Base and Tech Net (such vigilance is necessary to ensure clarification of conflicting messages surrounding this subject).

Backup Exec System Recovery 7.0 can be used to back up and restore a Windows 2000 or 2003 Active Directory Domain Controller to its original hardware configuration or to a dissimilar hardware configuration using the Restore Anywhere feature of BESR.

Consumer products designed for desktop and workstation environments should not be used in server environments.

Contributors: Stephen Curt, Val Arbon, Bob Brower