Active Directory – Back It Up!

Before we get too far in to configuring Active Directory, we should sort out the backups so that we can restore the environment in the event of corruption, compromise or even our own mis-configuration. You have a choice of backup software so I will not go through how to configure this. It’s important that you back up at least one Domain Controller though. The software you chose to use MUST support a system state backup.

Whatever solution you choose to back up Active Directory, you should regularly try restoring this in a lab environment. Active Directory has two restore modes. You can perform a non authoritative restore or an authoritative one.

An authoritative restore will mark all of the objects as “the master version” by increasing the USN numbers by 100000. This means that any changes completed since the version that was restored should be replicated and overwritten with the restored version.

A non authoritative restore will restore the domain controller then initialize replication from the existing domain controllers of all changes that it does not have copies of.

In order to perform a restore of either kind you will need your DSRM (Directory Services Restore Mode) password. This is a password you set when creating your domain controllers. Because of the importance of this password, we should always be aware if it has been changed, hence setting up the alert in the previous post.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.