[Samba] AD Backup Best Practice

Viktor Trojanovic viktor at troja.ch
Sun Feb 10 16:07:55 UTC 2019 

See comments inline.

On Sun, 10 Feb 2019 at 16:33, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Sun, 10 Feb 2019 14:13:27 +0100
> Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
>
> > I'm currently reviewing my own backup strategy for Samba and I
> > realize it is not in line with best practices provided in the Wiki. (
> > https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC)
> > Said best practices, however, seem a bit like a nightmare to me.
> >
> > Assuming the AD is gone and you want to restore just one DC, and you
> > want things to look just as they did before the crash, the process
> > according to the Wiki looks as follows:
> >
> > 1. Install a Samba DC on a new (!) temporary host and provision the
> > domain, just like you would when doing a new install from scratch.
> > That task alone is tremendous.
> > 2. Stop Samba and restore the AD from backup to this domain not (!)
> > into the default Samba folder, advise Samba accordingly when starting
> > it. 3. On the original host, set up a Samba DC and join the domain.
> > 4. If GPO or scripts exist on sysvol, manually set up sysvol
> > replication to get them to the original DC.
> > 5. Remove the temporary host.
> >
> > Just... wow. :)
>
> Tend to agree with you, the wiki page asks this question 'So which
> backup should I use?' It then goes on to enumerate 5 different reasons
> why you would need a backup and seems to totally miss the point. Your
> domain has gone down and it is headless chicken time ;-)
> All you would want to do is to get your domain back up again as quickly
> as possible.
>

Yes. So I'm really glad I haven't encountered that page in a moment of true
need! :-)


> I think you would only do '1' if you wanted to rename the domain.
>
> Not sure where you got restoring into a different folder from, I
> thought the restore put everything back to where it came from.
>
>
I got both of this from the section "Restoring the backup-file" in the
wiki. It says that if you're going to use the command "samba-tool domain
backup restore", you *must not* specify a DC that has previously existed.
Further, with regards to the files itself, it says that the Samba team
recommends "that you restore the domain database into a different
targetdir, and then use the '-s' option when running samba".


> You shouldn't have to do '4', the backup contains a copy of sysvol and
> smb.conf, so you should be able to restore to the DC it came from, it
> would just have to be the only DC and all DC's would have to be
> stopped, it would probably be better to rename the old DC before
> carrying out the restore.
>
>
As mentioned, at least to my understanding of the the wiki a restore of the
original DC is not possible using the backup made from it. Are you saying
that restoring to a "new DC" is as simple as changing the hostname of "DC1"
to "DC1_1"? DNS, GPO, smb.conf would all automatically refer to the new
hostname after the restore?


> >
> > Isn't there a simpler way of doing this? Namely, if all the restore
> > operations are done offline anyway, why is it frowned upon to simply
> > do everything on the original DC, i.e. forgo the temporary host,
> > overwrite the configuration files (/etc/samba) and the local Samba
> > folder (e.g. /var/lib/samba) with what's in the backup and be done
> > with it? What's the difference between doing this and just restoring
> > the whole machine running the DC bit for bit (dd backup and restore)?
>
> If you are talking about stopping the DC and copying it (somehow), then
> this should work, but you would have to be aware that you would have to
> stop your DC regularly and that your backup would only be valid for the
> time you took it, anything between that backup and the next would be
> lost.
>

Let's assume the DC is in a filesystem that allows snapshots, do I assume
correctly that stopping samba would not be required in that case? With
regards to information between 2 backups being lost, how is that different
with other backup strategies, for example using samba-tool online backup?

Viktor

More information about the samba mailing list