[Samba] AD Backup Best Practice

Viktor Trojanovic viktor at troja.ch
Sun Feb 10 19:11:02 UTC 2019


On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Sun, 10 Feb 2019 19:33:17 +0100
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> >
> > >
> > >
> > > The problem is that a Samba AD DC is constantly in flux, that is, it
> > > changes constantly, if your 'snapshot' can guarantee it is correct,
> > > then I see no problem, but you would only really know when you tried
> > > to restore it.
> > >
> > > >With regards to information between 2 backups being lost, how
> > > > is that different with other backup strategies, for example using
> > > > samba-tool online backup?
> > >
> > > That is the problem with any AD DC backup method, the backups can
> > > quickly become out of date.
> > >
> > >
> > > You keep saying that but I can't quite wrap my head around it. How
> > > exactly
> > is the DC constantly in flux? Say I set up my small AD, one DC, 10
> > users, 10 computers, internal DNS and some GPOs and I'm not touching
> > any of that anymore after the initial setup. Yes, users create their
> > files, set permissions etc but that's all done on the filesystem of
> > the member server and not in the AD itself, right? So what will have
> > changed a week later on the DC?
> >
> > Viktor
>
> If all you have is 10 users, then your changes are going to be small,
> but there will be changes, machine passwords could change for instance.
> If a computers password changes 5 minutes after you back up the domain
> and then a week later you restore from your backup, the machine will
> not be able to connect to the domain, the domain will expect the old
> password and the machine will be sending the new one.
>
>
Ok, that's a valid point but the computer pw is usually initiated every 30
days. Which brings me back to my question, if I set everything up on day x,
meaning that user passwords don't expire for another 45 days and computer
passwords remain valid for another 30 days, make a backup on that same day,
and restore the AD a week later without any intermediate backups, what will
I have lost?  Sorry to belabor the point, I'll keep doing daily backups in
any case, I'm just trying to figure out what I'm missing. :)

Viktor


More information about the samba mailing list