Unsolved
This post is more than 5 years old
58 Posts
0
3480
Authoritative Restore on Domain Controller
I am using Avamar 7.2 and am curious on the process to perform an Authoritative Restore on a Domain Controller and Active Directory Domain Services.
All I read in Windows Server Guide was that I need to use the Windows VSS plug-in to perform the backup. On the dataset I need to select VSS and in Options tab, clear the Create Disaster Recovery Backup checkbox. This then enables to perform either authoritative or nonauthoritative restores.
I am already backing up my Domain Controller via VMware but that does not get VSS as we know so I'd need to install avamar plug-in on the server and set up a new dataset for VSS and backup job.
Is this all that is needed? Is Avamar application aware to know it's a Domain Controller? Authoritative Restores generally need a domain admin account which is why I ask. We used to use Veeam before Avamar and Veeam had a check box to enable application-aware.
Thank you!
f25
15 Posts
0
June 30th, 2016 02:00
Hi,
We have been investigating this as well recently.
The key is to boot the domain controller in the AD recovery Mode. The restore order is executed from the Backup & Restore console, so indeed the credentials question is valid. Supposedly the console will ask you for credentials when pointing the restore target. Could anyone confirm on this?
The "to know" question: you will not have AD as "source" on server different than domain controller, and yet - I suppose - only the agent booted in AD recovery mode will have Windows/VSS plugin accepting AD for restore.
We are arranging some "red tape" to do some valid tests of that, so still basing only on PDF knowledge.
kmbay
58 Posts
0
July 18th, 2016 12:00
Any body available to respond to a question regarding Authoritative Restore?
thanks!
PankajPa
19 Posts
0
July 18th, 2016 17:00
Hello Kay,
Is this all that is needed? Is Avamar application aware to know it's a Domain Controller?
(Pankaj) : Yes, that is all that is needed and we identify it as a DC based upon the Type of backup and Writers metadata.
Here is the info from our logs: As you can see, all important writers data is backed up in an AD Backup.
2016-07-19 16:11:40 avvss Info <8871>: Gathering writer metadata...
2016-07-19 16:12:04 avvss Info <15976>: Selecting only system components for writer: {2707761b-2324-473d-88eb-eb007a359533}
2016-07-19 16:12:04 avvss Info <15977>: Selecting writer component: {2707761b-2324-473d-88eb-eb007a359533}:\SYSVOL\488D1212-8AD9-442B-BB71-174B08D24A32-EB898F5F-2600-49FD-9269-7C052DF228C8
2016-07-19 16:12:04 avvss Info <8775>: Selecting system writers to back up...
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {e8132975-6f93-4464-a53e-1050253ae220} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {afbab4a2-367d-4d15-a586-71dbb18f8485} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {75dfb225-e2e4-4d39-9ac9-ffaff65ddf06} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {d61d61c8-d73a-4eee-8cdd-f6f9786b7124} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {0bada1de-01a9-4625-8278-69e735f39dd2} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {542da469-d3e1-473c-9f4f-7847f01fc64f} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {b2014c9e-8711-4c5c-a5a9-3cf384484757} will be backed up.
==> NTDS
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {2707761b-2324-473d-88eb-eb007a359533}:\SYSVOL\488D1212-8AD9-442B-BB71-174B08D24A32-EB898F5F-2600-49FD-9269-7C052DF228C8 will be backed up.
==>DFS Replication service writer
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {2a40fd15-dfca-4aa8-a654-1f8c654603f6} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {59b1f0cf-90ef-465f-9609-6ca8b2938366} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {6f5b15b5-da24-4d88-b737-63063e3a1f86} will be backed up. ==>Certificate Authority
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {4969d978-be47-48b0-b100-f328f07ac1e0} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {a6ad56c2-b509-4e6c-bb19-49d8f43532f0} will be backed up.
2016-07-19 16:12:04 avvss Info <8779>: Writer with id {5382579c-98df-47a7-ac6c-98a6d7106e09} will be backed up.
Once, the backup completes, you can open the Backup and Restore Window and you should see something like this:
Let me know if you have any further questions.
Hope that answers your query. If yes, please mark the question as "Answered".
kmbay
58 Posts
0
July 19th, 2016 07:00
Thank for that explanation Pankaj_pande, it was very helpful! I do see in my VSS backup of my 2 production Domain Controllers, the Active Directory on one DC and BOTH the Active Directory and Certificate Authority on my other Domain Controller server. I believe the FISMO roles are split between the 2.
Is there a best way or best practice to test this Authoritative Restore (and how)?
Thank you again!
PankajPa
19 Posts
0
July 19th, 2016 11:00
For all testing, I would suggest to get all this testing done in an isolated environment.
As per the best practice, it is good to have two backups from a DC.
a) Bare Metal(BMR) (DR Backup) (Offline)
b) Non-DR / Online Restore (Unchecking DR checkbox) (Online)
Steps to perform restore:
1) (For Total DR) Perform the Bare Metal Recovery as per "Restoring the computer to its original System State" section of our PDF to get OS and AD files to be restored.
2) (To restore AD specific components) Follow "Active Directory recovery " section of our PDF to continue with AD restore.
If you follow along those sections with screenshots, you should be able to test this out without any issues.
kmbay
58 Posts
0
August 18th, 2016 07:00
Which PDF document are you referring to? Administration Guide or another?
Also, the issue is restore process. Our System State backup is done via the Windows Client plug-in and our main backup of the server is done via VMware plug-in, as the domain controller is a VM.
We've created a bubble environment in our vcenter and restored the DC system. The issue is the System State. How do we restore that backup to that VM in order to boot in AD recovery mode and simulate an Authoritative Restore? I'm not able to restore the System State, backed up with local client plug-in, to the VM.
PankajPa
19 Posts
0
August 18th, 2016 09:00
I was referring to the Windows Server User Guide.
Another thing, assuming that you are using Win 2k8R2 and above as a DC, you would have to use the Windows VSS plugin to backup the DR and non-DR backup of the DC. You can't use Filesystem plugin to backup system state of Win2k8R2 and above. It is only for Win 2k3.
Once, you are done with the DR and Non-DR backup of the DC, you can first perform the BMR of the DC Machine and then perform the Auth Restore. All this information is mentioned in Windows Server User Guide.
Also, backing up DC VM as Image Backup will be a different approach to have DR solution for DC.
kmbay
58 Posts
0
August 18th, 2016 13:00
Our Domain Controller is a Virtual Machine.
We are backing up the System State using Windows VSS plugin.
We are backing up the VM through Windows VMware Image plugin (through vcenter integration).
They are 2 separate backup jobs using 2 different plug-in types.
How would we go about testing an Authoritative Restore in this case? I'll check out the Windows Server User Guide in case this is in there.
Thank you!