Domain Controllers and Disaster Recovery

It's really easier than you think.

I’ve been working with some companies on their “business continuity” plans (that’s what we call disaster recovery these days), and I’ve run across some interesting problems and misconceptions regarding Active Directory domain controllers. A couple of companies in particular were really killing themselves over DC backups, so I thought I’d share some tips that have helped make their lives easier.

First, keep in mind that every DC has a completely identical copy of the entire AD database. I know, that seems pretty obvious, but it has some subtle implications. Suppose you’re using AD-integrated DNS zones. Every single DC has a copy of the DNS zones, including those DCs that aren’t even running DNS (at least in a 2000 Domain). Because every DC is identical, there’s really no need to back them all up. Even if the worst case occurs—for me, that’d be a meteor hitting my stack of servers—you could just rebuild the DC, promote it to be a domain controller, and it’ll get the AD database from its fellows. Of course, to avoid that meteor scenario, you should make sure that at least a couple of DCs are physically separated. That way, a fire in one data center won’t take out all of your resources.

We know that not all DCs are created equal. Some DCs have those special Flexible Single Master Operations (FSMO) roles, like the PDC Emulator, and some DCs host a replica of the Global Catalog (GC). But even if one of those special DCs crashes, you won’t lose any data so long as at least one other DC exists in the domain. You can transfer or seize FSMO roles and configure an alternate DC to host the GC—any way you slice it, though, you don’t lose any data.

You still need backups, of course. Backups can be used to restore accidentally deleted AD objects, and they’re invaluable for off-site recovery purposes. Several of the companies I work with rent off-site space and have a plan to recreate practically their entire IT infrastructure in that space, in the event that something horrible happens to their main office building. Regular AD backups are critical for these purposes, but there’s no need to make things tough. You really only need to back up a couple of DCs.

I always choose one DC to be my “backup master.” That’s the one on which I perform daily—in some cases, hourly—backups. Use whatever software you like; just make sure you get a good, clean backup on a regular basis. If you need to restore an object like a user or group, your backup will be ready to go. Keep in mind, though, that AD backups can only be used on the DC on which they were created. So, if my backup master experiences a total hardware failure, all of my backups are pretty much useless unless I can fix the problem. Therefore, I always pick a secondary DC, usually one located at a different office or in a different data center, and pull backups of it, too. That way, I’ll always have a DC to use to perform restores.

Off-site recovery presents a stickier problem. The whole point of off-site recovery is that you won’t have any of your regular computers available, meaning your DC backups might not be useful. What I do is pick one DC to be the “off-site master.” Put it on the network every couple of weeks, let it sync up with the rest of the domain, and then make a backup of it. Cart the DC off-site to use in your off-site recovery scenarios. Don’t leave it off the network for more than 60 days, or you’ll run into weird problems related to the way AD handles deleted objects. If you need to resort to your off-site recovery option, the DC should be ready to go and can be used to repopulate as many new DCs as needed off-site.

So don’t waste time trying to pull a backup of every DC you own. Pick a couple in each domain and back them up. Keep some backup tapes off-site for safety and keep some handy for restoring accidentally deleted objects.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.