EE - Forum Styles
fo
  • Not Answered

Backup and Recovery: Disk imaging, Domain Controllers, Active Directory and USN Rollback

This information is included in the DeltaV Backup and Recovery documentation but is worth pointing out here as well.

A domain controller running Windows Server 2003, Windows Server 2008, or Windows Server 2012 relies on Active Directory, a security service responsible for enforcing security policies and for authenticating users and computers within a domain network. The domain controller tracks objects in an Active Directory database based on their Update Sequence Numbers (USN). USNs are replicated to other domain controllers in the network. Recovering a domain controller can result in its having an Active Directory database that is out-of-synch with replications stored on other domain controllers in the network. This dilemma is referred to as a USN rollback condition.

Some precautions are recommended to avoid encountering a USN rollback when recovering a domain controller or its Active Directory database. At a minimum, perform the following precautions when backing up a domain controller:

  • In the backup plan you create to back up a domain controller, select the Use Volume Shadow Copy Service (VSS) option and set the snapshot provider to Software – System provider.
  • Back up the domain controller no less frequently than half the Active Directory tombstone lifetime.

For example, if the tombstone lifetime is set to the default minimum, 60 days, back up the domain controller at least once a month.

  • Create a backup immediately after any of the following events:
    •  Moving the Active Directory database and/or log to a different location
    • Upgrading the operating system or installing a service pack on a domain controller
    • Installing a hotfix that changes the Active Directory database
    • Changing the Active Directory tombstone lifetime administratively
  • Do not specify any of the Active Directory database files (.dit, .chk, .log) in the list of files to exclude from a backup.
  • When recovering a backup file with selected drives (usually the C: and D: drives for DeltaV), select Volume in the recovery plan and include the Master Boot Record (MBR). If recovering a backup file with all drives, select Disk in the recovery plan.
  • After recovering a ProfessionalPLUS workstation configured as a domain controller, perform Active Directory replication from the current active domain controller to the ProfessionalPLUS workstation.
  • For new user accounts that were not included in the backup file, start User Manager and enable the DeltaV Database Account option