VSS Backup and Restore of the Active Directory (Windows)

Switch View

VSS Backup and Restore of the Activ...

VSS Backup and Restore of the Active Directory

The Active Directory writer requires no special actions during backup operations. The writer will provide the requester with component and file set information, and the requester uses that information to decide which files to copy to backup media. There is no need to use any special APIs to back up the Active Directory.

How a restore is performed depends on whether the Active Directory is be restored as part of a disaster recovery operation, or if the restore is to a system on which the Active Directory is running. In addition, the age of the backup copy of the Active Directory state may be an issue because of Active Directory tombstones.

Active Directory Restoration following Disaster Recovery

Following a crash requiring disaster recovery, the Active Directory can be restored as part of the restoration of the operating system state.

This restore operation is essentially a writerless restore.

Active Directory Restoration on the System where It Is Running

The system must be rebooted in Directory Services Restore mode if the Active Directory is currently running on the server.

The operating system will then be running without the Active Directory, and all user validation occurs through the Security Accounts Manager (SAM) in the registry. Only the administrator has permission to recover the Active Directory.

Once in Directory Service Restore mode, a VSS restore can proceed normally. There is no reason to use non-VSS Win32 Active Directory APIs to restore the Active Directory state.

Active Directory Restores and Active Directory Tombstones

Any recovery plan should ensure that the age of the backup should not exceed the Active Directory Tombstone Lifetime (default is 60 days).

Restoration of a backup older than the tombstone will cause a domain controller to have objects that are not replicated to the other servers.

Those objects that are not replicated will not be deleted automatically on that (restored) domain controller because the tombstones of those objects on the other replicas have already been deleted.

An administrator will have to manually delete each of the objects on the restored domain controller that are not replicated. Incremental backups of the Active Directory are not supported; a full backup is required.

Send comments about this topic to Microsoft

Build date: 10/29/2009

Tags

: Add a tag

Community Content

Add new content

Annotations

SYSVOL Restore

harsha_shaha ... Diane Olsen - MSFT | Edit | Show History

How does Primary restore of SYSVOL should be handled? What should be value of BurFlags?

[Noelle Mallory - MSFT] Please post questions to the MSDN Forums at http://forums.microsoft.com/msdn. You will likely get a quicker response through the forum than through the Community Content.

[Harsha] I posted the question on MSDN site but didn;t get any answer until now. I am not getting any help/ans from anywhere. Even I tried support.microsoft.com but its not working.

[vova tregub] on a single domain controller or on the first one to restore sysvol you need to set D4 flag.
1. net stop ntfrs
2. set registry flag to D4
3. net start ntfrs
4. should be ok

[Diane - MSFT] SYSVOL is covered here: http://msdn.microsoft.com/en-us/library/cc507518.aspx.