Thursday, August 28, 2008

Active Directory Restore Fun

This adventure all began with testing out a remote access application. In my earlier experience testing a previous version of this application, it pulled a local copy of my Active Directory users and groups during initial setup which then had to be pruned down to those who actually needed remote access. After setting up the most recent version, I promptly began pruning the users and groups shown in the application to the appropriate list - then the phone rang.... Needless to say the current version of the application was directly accessing AD, not just for authentication, but to maintain its user list --- that I had been actively pruning.

Needless to say this was not the best situation. No fear - there are backups for this sort of situation. But beyond backups, the restoration of AD is not a two click and it's done operation. This isn't a story about "Oh no the backups junk" or backup schedule philosophies, but I will comment of the merits of using Disk-Disk-Tape backups quickly - backup & restores are quick. Back to AD. My AD landscape is fairly simple: single physical site, 3 DC's, relatively small database.

I don't carry any MCxx certifications and thankfully the opportunity to perform this type of operation is not a common thing. Thankfully between MS Support Knowledgebase articles and documentation in my backup software the AD restore operation was smooth.

I had restored a DC in a VMware test environement before, but it was a single DC configuration which changes things a bit. Aside from not realizing up front how the remote access application integrated with AD the following lessons can be taken away:
1) If at all possible have a test environment similar to production - and try these things out.
2) Have knowledge of proceedures or how to find it - quickly
3) Take a deep breath when these things happen - think quickly, act thoughtfully
4) The addage of one-application to one-server is priceless in restore situations
5) Having multiple DC's even in a small environment helps keep things moving along.

[Update on Backup / Restore resources]
AD Restore on 2K - Works for 2k3 (MS Support KB)
Good notes on using NTBackup on DCs for Backup / Restore (MS Support KB)
I use Symantec Backup Exec in my environment, but NTBackup is good for just a few systems.

Thanks for the comment Matt & good luck jumping into MS infrastructure (I'm a *nix guy by trade too).

Matt said...

Hi Jeff. Interesting article, and one that I'm fortunate enough to not have experience with yet. Of course, my AD infrastructure is about 2 weeks old ;-)

Any chance you link to the backup / restore instructions you used? As a Linux guy, I'm confused and frightened by the Windows world, where I can't just swoop in and copy everything in /etc/ActiveDirectory