[Samba] AD Backup Best Practice
jrjsmrtn at gmail.com
Sun Feb 10 16:27:43 UTC 2019
A good practice is to have at least 2 DCs in a domain.
If one crashes, you can reinstall one from scratch, join it to the domain and it will synchronize with the safe one. And your services should not stop in the meantime.
That doesn’t prevent us from setting up backups, but that reduce risks a lot. :-)
> Le 10 févr. 2019 à 17:07, Viktor Trojanovic via samba <samba at lists.samba.org> a écrit :
> See comments inline.
> On Sun, 10 Feb 2019 at 16:33, Rowland Penny via samba <samba at lists.samba.org>
>> On Sun, 10 Feb 2019 14:13:27 +0100
>> Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
>>> I'm currently reviewing my own backup strategy for Samba and I
>>> realize it is not in line with best practices provided in the Wiki. (
>>> Said best practices, however, seem a bit like a nightmare to me.
>>> Assuming the AD is gone and you want to restore just one DC, and you
>>> want things to look just as they did before the crash, the process
>>> according to the Wiki looks as follows:
>>> 1. Install a Samba DC on a new (!) temporary host and provision the
>>> domain, just like you would when doing a new install from scratch.
>>> That task alone is tremendous.
>>> 2. Stop Samba and restore the AD from backup to this domain not (!)
>>> into the default Samba folder, advise Samba accordingly when starting
>>> it. 3. On the original host, set up a Samba DC and join the domain.
>>> 4. If GPO or scripts exist on sysvol, manually set up sysvol
>>> replication to get them to the original DC.
>>> 5. Remove the temporary host.
>>> Just... wow. :)
>> Tend to agree with you, the wiki page asks this question 'So which
>> backup should I use?' It then goes on to enumerate 5 different reasons
>> why you would need a backup and seems to totally miss the point. Your
>> domain has gone down and it is headless chicken time ;-)
>> All you would want to do is to get your domain back up again as quickly
>> as possible.
> Yes. So I'm really glad I haven't encountered that page in a moment of true
> need! :-)
>> I think you would only do '1' if you wanted to rename the domain.
>> Not sure where you got restoring into a different folder from, I
>> thought the restore put everything back to where it came from.
> I got both of this from the section "Restoring the backup-file" in the
> wiki. It says that if you're going to use the command "samba-tool domain
> backup restore", you *must not* specify a DC that has previously existed.
> Further, with regards to the files itself, it says that the Samba team
> recommends "that you restore the domain database into a different
> targetdir, and then use the '-s' option when running samba".
>> You shouldn't have to do '4', the backup contains a copy of sysvol and
>> smb.conf, so you should be able to restore to the DC it came from, it
>> would just have to be the only DC and all DC's would have to be
>> stopped, it would probably be better to rename the old DC before
>> carrying out the restore.
> As mentioned, at least to my understanding of the the wiki a restore of the
> original DC is not possible using the backup made from it. Are you saying
> that restoring to a "new DC" is as simple as changing the hostname of "DC1"
> to "DC1_1"? DNS, GPO, smb.conf would all automatically refer to the new
> hostname after the restore?
>>> Isn't there a simpler way of doing this? Namely, if all the restore
>>> operations are done offline anyway, why is it frowned upon to simply
>>> do everything on the original DC, i.e. forgo the temporary host,
>>> overwrite the configuration files (/etc/samba) and the local Samba
>>> folder (e.g. /var/lib/samba) with what's in the backup and be done
>>> with it? What's the difference between doing this and just restoring
>>> the whole machine running the DC bit for bit (dd backup and restore)?
>> If you are talking about stopping the DC and copying it (somehow), then
>> this should work, but you would have to be aware that you would have to
>> stop your DC regularly and that your backup would only be valid for the
>> time you took it, anything between that backup and the next would be
> Let's assume the DC is in a filesystem that allows snapshots, do I assume
> correctly that stopping samba would not be required in that case? With
> regards to information between 2 backups being lost, how is that different
> with other backup strategies, for example using samba-tool online backup?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba