Microsoft Doesn't Support IMAGING of Domain Controllers!!

Discussion in 'Acronis True Image Product Line' started by jeremyotten, Sep 7, 2005.

Thread Status:
Not open for further replies.
  1. jeremyotten

    jeremyotten Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    684
    Acronis Help!

    I called Microsoft and they say they don't support Imaging of a Domain Controller. Could you please confirm this? Don't you guys support this?

    Microsoft said they only support products like Veritas and Arcserve backup.

    Thanx in Advance
    Jeremy Otten
    Netherlands
     
  2. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello jeremyotten,

    Thank you for your interest in Acronis Server Disk Backup Software.

    Yes, we do support imaging of a Domain Controller.

    I recommend you to use Acronis True Image Server 8.0 for Windows or Acronis True Image Enterprise Server 8.0 to backup your Domain Controller.

    Please be aware that if you want to back up an Active Directory server, you should stop the ntfrs and netlogon services either manually or using the database support feature implemented in Acronis True Image Enterprise Server (read more in section 5.11 of Acronis True Image Enterprise Server 8.0 User's Guide).

    Before you start the backup:

    - net stop ntfrs
    - net stop netlogon

    After the snapshot has been created:

    - net start ntfrs
    - net start netlogon

    You may also want to read the following extracts from Active Directory Operations Guide by MIcrosoft:

    Start the File Replication Service

    Use this procedure to restart the File Replication service and review the FRS event log to ensure that the restart succeeded.

    Credentials: Domain Admins
    Tools: Net.exe, Event Viewer

    To start the File Replication service:

    - At a command prompt, type net start ntfrs and press ENTER.
    - You can use Event Viewer to verify that NTFRS restarted correctly. Event ID 13501 indicates that the service restarted. Look for event ID 13516 to verify that the domain controller is running and ready for service. If you moved SYSVOL to a new location or relocated the Staging Area folder, look for event IDs 13553 and 13556, which indicate success.

    Stop the File Replication Service

    Use this procedure to stop the File Replication service:

    Requirements:

    Credentials: Domain Admins
    Tools: Net.exe

    To stop the File Replication service:

    - At a command prompt, type net stop ntfrs and press ENTER.

    Stop the Net Logon Service

    Use the command line to stop the Net Logon service. If you are not logged on to the domain controller, you must use Terminal Services to perform this command.

    Requirements:

    Credentials: Domain Admins
    Tools: Active Directory Sites and Services (Administrative Tools)

    To stop the Net Logon service:

    - Open a command prompt, type the following command, and then press ENTER: net stop netlogon

    I would also recommend you to download and install the free trial version of Acronis True Image Enterprise Server 8.0 or free trial version of Acronis True Image Server 8.0 for Windows to see how the software works on your computer.

    You can find more information on how to use these products in the respective User's Guides.

    Please visit Acronis online store to purchase the full versions of these products.

    Please also note that we have a flexible system of discounts and the amount of the discount varies depending on the number of copies you want to purchase.

    In case you are planning to purchase many copies, please contact our Sales Team at sales@acronis.com.

    Thank you.
    --
    Alexey Popov
     
  3. jeremyotten

    jeremyotten Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    684
    Ok but this is in case of a single domain controller.

    What to do in a multi Active Directory Environment? When i recover a dc from a image that is 12 hours old for example AD will be out of sync.

    That is why MS$ told me that they didn't support imaging of DC.

    Can you communicate this with MS$ and send the feedback here?

    Thanx in Advance
     
  4. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello jeremyotten,

    I can recommend you to read the following article: Synchronize replication with all partners. Could you please clarify what you want to do in multi Active Directory Environment?

    Thank you.
    --
    Irina Shirokova
     
  5. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    Two methods:

    One: Do a daily scheduled ntbackup of system state to a data disk - if you ever need to restore an image of a DC, reboot in non-authorative domain controller restore mode (F8 at startup) and restore the latest NTbackup system state. DC will think it's non-auth restored, and at reboot will request DC information from the other DC's.

    Just *never ever* run the restored DC in normal mode before doing this, or you are in USN rollback hell.

    Method two:

    Only if your 2003 DC's are running SP1 - you can "fool" a DC in thinking it's non-authoratively restored without actually running ntbackup - again, if you restored a DC and started it normally, you are scr*w*d.

    To restore a previous image when USN rollback has not occurred
    1.Using the previous , start the domain controller in Directory Services Restore mode.
    2.In a registry editor, if the entry DSA Previous Restore Count under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters is visible, make a note of the value. If the entry is not visible, assume a value of 0. Do not add the entry.
    3.Add the registry entry Database restored from backup under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
    Data type: REG_DWORD
    Value=1
    This setting creates a valid system state backup and immediately restores the backup.
    4.Restart the domain controller normally.
    5.In the registry, check to be sure that the value in DSA Previous Restore Count is equal to its previous value plus 1.
    6.In the Directory Service event log, check to see that event ID 1109 appears. This event confirms that the .vhd file has been restored and the invocation ID has been changed. Event ID 1109 places the following information in the log:
    Active Directory has been restored from backup media, or has been configured to host an application partition. The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is a%n
    %nInvocationID attribute (old value):%n%1
    %nInvocationID attribute (new value):%n%2
    %nUpdate sequence number:%n%3
    %n
    %nThe invocationID is changed when a directory server is restored from backup media or is configured to host a writeable application directory partition.

    This works for all imaging based products - the actual text above is from MS, they had to come up with something that works in virtual PC environments, because DC's get "paused" for more than 12 hours in these situations - works for physical as well!

    Denny Crane! :D
     
  6. 2marshall8

    2marshall8 Registered Member

    Joined:
    Apr 11, 2006
    Posts:
    18
    I'm currently looking into the possibility of purchasing the windows server disc imaging software.

    The reason I would purchase the software is if I knew that I could just boot into an image restore cd and restore the partition/disc which holds the system drive on the DC which crashed.

    In my domain we have 9 Windows 2003 DC's spread out across WAN links. If the primary DC (the one with the FSMO roles) fails how easy would it be for me to restore from an image of this DC's system drive and be back to where I started prior to the crash? What would the process be? This will make my decision.

    thanks
     
  7. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    A few things:

    * Make all DC's GC's (will of course have effect on replicating over WAN - these days with broadband, I don't really care)
    * Backup daily
    * On top of the imaging, do a daily NTBACKUP system state backup to some external disk where your images are resided (can get pretty large...)

    This way you have a quick image to restore without the hassle of a parallel install, *and* a minimal backup of what is needed to do either an authorative or non-authorative restore (first is when you want the AD to roll back to the backup you are restoring; second being restoring the server and copying AD info from the others)

    At crash:

    * Restore image
    * *do* *not* *boot* *under* *any* *circumstance* in normal mode!!! If you do, and it's networked, USN rollback occurs and you are in for a rough ride...
    * Disconnect server from network just in case!
    * Boot server in AD restore mode
    * restore system state backup from disk, non-authoratively or authoratively - in both cases, the machine will "know" its been restored and do the necessary stuff in AD/replication to get it right.

    (Alternatively, use method I've posted above your question, it will fool the DC in thinking it's just been restored non-auth.)

    Using both methods, there will be no USN rollback, the server will copy AD info from the other servers.

    Not sure about FMSO roles though... you can make some of the servers Global Catalog controllers.

    If you lose the FSMO's, let one of the GC's take up the roles before restoring the failed DC.

    As a last resort, you can to an authorative restore on the failed DC, but that will change your AD back to the state of the last backup(!)
     
  8. 2marshall8

    2marshall8 Registered Member

    Joined:
    Apr 11, 2006
    Posts:
    18
    I immensly appreciate your help on this. From what I gather. If the system crashes I need to:

    1. Restore the Acronis Image of my System partition.
    2. Unplug network cable
    3. Boot into AD Restore mode. (F8 )
    4. Restore System State and AD from the backup.
    5. Reboot into normal windows mode and let the other DC's replicate the correct information.
    6. Finished and up and running

    Questions:

    1. In regards to the FSMO. If this goes down and I have GC's on all other DC's will these roles be automatically transfered? How does this work. I have a concern here.

    2. Is the restore as easy as booting to a CD with my external backup media (USB Drive) connected and going through the wizard to restore the partitions?

    thanks
     
    Last edited by a moderator: Apr 13, 2006
  9. 2marshall8

    2marshall8 Registered Member

    Joined:
    Apr 11, 2006
    Posts:
    18
    one more item. Why can I just use the image to restore from? Why must I go into AD restore mode and restore the system state? Don't these accomplish the same purpose?

    please explain.
     
  10. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    @2marshall,

    Check the stories on "USN rollback" on MS knowledge base.

    With a single DC it is not a problem, with multiple DC's, if you restore an image, the windows is not "aware" that is has been restored, and thinks its AD is up to date. However, it's a few days behind because of the backup. The other DC is more recent and also (correctly) believes it is up-to-date. USN conflicts begin, and your AD is forever out of sync -> lots of problems. The AD's wont replicate from one server to another anymore...

    Using the system restore trick right after an image restore, the server will announce to other DC servers that it has been restored and seeks the most recent AD information. It will then replicate this information to itself (non-authorative restore)

    It's all pretty much windows AD basics, but using "tricks" to make it work with image restoration.

    So for a restore, yes, you need to restore the image, and

    A) Restore a system state as current as possible

    or

    B) Use the registry trick, forcing the AD into non-auth restore mode.

    Only these 2 methods make sure that AD information is replicated from the live DC's to the restored ones.

    As for FSMO roles, that's a different story. Best thing is to have as much global catalog controllers as possible (as they store more info on the AD)

    A GC can be forced to take up FSMO roles when needed, or you can restore the lost FSMO from a backup.

    losing some of the FSMO roles in a domain (due to your FSMO server down) can lead to temporary problems, like not being able to add new domains to trees/forests.

    You should read up on the regular ways to backup/restore DC's, then take notice of why imaging is "bad" if you don't force the AD restore modes, and put it all together somehow.

    My idea of imaging DC's is, ntbackup just the system state every day, to your data disk on the server (typical 500mb), then image data+system every day (differential) - this will make sure you can always restore the server without a problem.

    This idea was put forward in a MS white paper concerning running DC's on virtual servers ("freezing" DC's and rolling them back/restarting them, is somewhat the same issue than restoring images)

    Finally, running multiple DC's is something that requires knowledge - read up on it on the net, or try some MCP books/exams.
     
  11. Cat-21

    Cat-21 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    60
    Tonio is on the right track. Back up that system state and do the differential. Basically AD loses it when restored from a previous time as records become unsynchronized. You may also need to do a GPUPDATE /FORCE on some clients around you as well.........
     
  12. digiclone

    digiclone Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    4
    Why is it that we have to use Ntbackup or another supported utility to restore the System State and set the proper bits for AD to sync properly? Why can't Acronis just automatically set the proper bits after restoring the backup image? This wouldn't seem to hard.
     
  13. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    I'd rather have my backup tools *not* touch anything at restore time. If you don't like this solution, I suggest you use NTBACKUP or another AD aware application. No need for an imaging product to get bloated with all kinds of support for AD, Exchange, Oracle and what have you.

    The combination of an image with just a system state BU is a very powerful one and doesn't cost you a euro more - Ntbackup is right there in Windows.

    Using NTBACKUP as bare-metal restore without imaging is a pain at restore time.

    The registry method could not be supported by Acronis, as that would mean they have to check the Win 2K or 2K3 version for certain hotfixes and/or servicepacks, and also, there are situations in which you *want* the restore to have a USN rollback (in lab environments for example)

    To be really sure, you even need to suspend the replication service at backup time...

    Anyway, of all backup methods for AD, I find the image/ntbackup to be the most gentle approach to backup/restore/recovery. Of course, that's just my opinion :D
     
  14. Warrior2005

    Warrior2005 Registered Member

    Joined:
    Oct 6, 2005
    Posts:
    19
    Yeah this is a very tragic story. I also hope that i dont have to do a restore of my two servers so quickly.

    I have a small business server 2003 sp1 and a windows 2003 server with sp1

    Help me guys:


    1) if i would do an image of each of both servers right now, and restore both servers afterwards, replication wouldnt work. Right?

    2) What i did was using dcpromo /forceremoval on the windows 2003 machine

    so getting rid off the Active Directory and after that i added the windows 2003 server again to the domain and after that i used dcpromo to make the server a DC




    Whats ur opinion about my 2 questions?


    Thanks for ur help
     
  15. 2marshall8

    2marshall8 Registered Member

    Joined:
    Apr 11, 2006
    Posts:
    18
    What are the questions? please restate? are you in a bind now?
     
  16. jeremyotten

    jeremyotten Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    684
    What you also can do is make an image every dag of all your DC's and maybe and incremental at 1200PM

    When you have a company of lets say 50 people and the active directory wasn't modified you can restore the image and everything will go OK.

    But when there are several changes to you AD within 6-12 hours you should do the system state restore or Regkey trick.

    What Acronis should inplement in their software is the system state backup. Whenever you put back the image you should have the option of "restoring DC" and that acronis will do the rest for you.

    Acronis BIG plus for YOU when you implement this!!
     
  17. OldITGuy

    OldITGuy Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    16
    Warrior2005
    You should read and re-read the posts from TonioRoffo. He obviously has a lot of knowledge about domain controllers. It takes a lot of experience to develop the ability to exercise good judgement when a domain controller fails, and you usually get that experience by exercising poor judgement. I know; I have been in USN rollback hell. While TonioRoffo has pretty well spelled it out, he has assumed some basic knowledge on the part of the reader.

    When you have multiple domain controllers each controller is accepting updates from it's logged on Users. Each controller knows about all the other controllers which are referred to as "Replication Partners". The core design objective is for all the Active Directory Data Bases in all the controllers to hold the same information; i.e. all the DC's replicate all their updates to all the other DC's so that the data bases are, for all practical purposes, identical. Each update that is sent to a replication partner is numbered (USN) so that any domain controller can identify what updates is has received from any other domain controller. If you can imagine a company with 2 domain controllers at the main office and a domain controller at each of 5 branch offices all receiving updates from their Users as well as replicated updates from all the other DC's, you can imagine the difficulty involved in keeping track of all that activity.

    Now if you take down one of those DC's and restore it back to a previous state using an image copy (TI, Ghost, etc), then that recovered DC doesn't know about all the updates it had previously received since the backup image was created. It also is unaware of all the updates it has sent to it's replication partners, so it is totally lost. As soon as the operating system reads the serial numbers of the received updates from other DC's it is obvious that things are screwed up and all replication with that DC is halted. You are now in USN hell.

    That doesn't happen if you restore the system state with ntbackup, because their is logic in the backup software specifically for active directory functionality including synchronization of USN's. NTbackup is not perfect by any means, but it is "Active Directory aware". Any program that creates a system image and subsequently restores that identical image is not active directory aware.

    So, how can you use TI to backup your DC's. If you have just one Domain Controller there are no replication partners so you can create images of that controller and restore them without encountering the USN problem. If you have 2 Domain Controllers you can take them both offline at the same time(disable their network cards or run an offline backup using the TI restore disk or Ghost) and run the imaging program. BUT, if you have to restore one of those controllers later, you have to restore them both; and at the same time so that when they come back on line they will be synchronized. If you have more than 2 domain controllers, expecially if they are located at distant sites, it gets a lot more complicated, and it's time to read TonioRoffo's posts again.

    I hope this explanation helps those with very little exposure to active directory understand the concept of replication and the potential problems involved in restoring a domain controller.
     
  18. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    Did you test this? Think not... AD is more than users & computers - any change will get you into trouble - don't think you'll get away with it with "synchronized backups"

    Even a computer getting an new IP from DHCP could trigger a dynamic DNS update, that's right, into the AD... once in USN hell there's no going back!

    Stick with one of the methods... a little NT backup script for system state to the local disk, before doing the snapshot, will help you. The only problem you can have is that it won't work if you restore to different hardware.

    In that case use the SP1/registry trick.
     
  19. jeremyotten

    jeremyotten Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    684
    So what if you have to restore an image and you can't even boot in active directory restore mode then...

    p.s I did try it and it DID work.... no complaints or errors afterwards...
     
  20. OldITGuy

    OldITGuy Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    16
    jeremyotten, I can't imagine that working. How many DC'c in that domain?
     
  21. jeremyotten

    jeremyotten Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    684
    mostly 2 DC's. PS do you know some kind of BARTPE cd where you can restore the acronis image(already now how) and after that the system state? with some other program?
     
  22. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    That's the funny part of USN rollback. Before SP1, both servers think all is well and you won't even get a notice that things gone bad... and then you start to see differences in the AD...

    Why do you insist on trying something that is documented all over the web, and that even made MS write a white paper on??

    Well it's your network of course, you do what you want with it... but you're on the way to disaster my friend.

    System state needs to be restored in active directory restore mode - that's why it is there for. Then you can choose to restore non-authoratively (getting newer AD info from other servers) for force an authorative restore (restore the AD like it was on the backup, changing all the servers back to that AD situation)

    If you didn't change hardware, I can't see why you couldn't boot with F8 into AD restore mode

    http://www.microsoft.com/downloads/details.aspx?FamilyID=64DB845D-F7A3-4209-8ED2-E261A117FC6B&displaylang=en
     
  23. TonioRoffo

    TonioRoffo Registered Member

    Joined:
    Apr 23, 2005
    Posts:
    237
    And here is how you can detect if you're already in USN rollback.

    http://support.microsoft.com/kb/885875/

    Maybe it works now, but possibly when adding users or something, your replication might fail.
     
  24. 2marshall8

    2marshall8 Registered Member

    Joined:
    Apr 11, 2006
    Posts:
    18
    Right now when I do backups with acronis I do a full backup every monday and incrementals tuesday-friday. when I setup the backup I clicked on the volume and did the c:\system and d:\data volumes.

    I'm also doing the system state every night and over writing each monday.

    This will allow me to do a complete restore on either of the volumes in time of disaster, correct?

    I would only have to boot into ad restore mode, restore the system state and then bootup to the acronis cd and restore the volumes? Has this been thoroughly tested by anyone here to be sure the entire process works?

    thanks
     
  25. jeremyotten

    jeremyotten Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    684
    No

    1. restore volume
    2. boot AD restore mode
    3. restore system state

    ;-)
     
Thread Status:
Not open for further replies.