[Samba] AD Backup Best Practice
Viktor Trojanovic
viktor at troja.ch
Sun Feb 10 19:28:49 UTC 2019
On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba <samba at lists.samba.org>
wrote:
> On Sun, 10 Feb 2019 20:11:02 +0100
> Viktor Trojanovic <viktor at troja.ch> wrote:
>
> > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> >
> > > On Sun, 10 Feb 2019 19:33:17 +0100
> > > Viktor Trojanovic <viktor at troja.ch> wrote:
> > >
> > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba
> > > > <samba at lists.samba.org> wrote:
> > > >
> > > > >
> > > > >
> > > > > The problem is that a Samba AD DC is constantly in flux, that
> > > > > is, it changes constantly, if your 'snapshot' can guarantee it
> > > > > is correct, then I see no problem, but you would only really
> > > > > know when you tried to restore it.
> > > > >
> > > > > >With regards to information between 2 backups being lost, how
> > > > > > is that different with other backup strategies, for example
> > > > > > using samba-tool online backup?
> > > > >
> > > > > That is the problem with any AD DC backup method, the backups
> > > > > can quickly become out of date.
> > > > >
> > > > >
> > > > > You keep saying that but I can't quite wrap my head around it.
> > > > > How exactly
> > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10
> > > > users, 10 computers, internal DNS and some GPOs and I'm not
> > > > touching any of that anymore after the initial setup. Yes, users
> > > > create their files, set permissions etc but that's all done on
> > > > the filesystem of the member server and not in the AD itself,
> > > > right? So what will have changed a week later on the DC?
> > > >
> > > > Viktor
> > >
> > > If all you have is 10 users, then your changes are going to be
> > > small, but there will be changes, machine passwords could change
> > > for instance. If a computers password changes 5 minutes after you
> > > back up the domain and then a week later you restore from your
> > > backup, the machine will not be able to connect to the domain, the
> > > domain will expect the old password and the machine will be sending
> > > the new one.
> > >
> > >
> > Ok, that's a valid point but the computer pw is usually initiated
> > every 30 days. Which brings me back to my question, if I set
> > everything up on day x, meaning that user passwords don't expire for
> > another 45 days and computer passwords remain valid for another 30
> > days, make a backup on that same day, and restore the AD a week later
> > without any intermediate backups, what will I have lost? Sorry to
> > belabor the point, I'll keep doing daily backups in any case, I'm
> > just trying to figure out what I'm missing. :)
> >
> > Viktor
>
> In a small domain like yours, probably not much, the only real thing I
> could think of would be user password changes, but in large domains you
> couldn't really do what you are proposing.
>
Thanks Rowland, so far so clear, Tim will hopefully answer the other open
questions. Out of curiosity, how do you deal with this kind of errors
you're describing? In a large domain, I guess there is a really high chance
you will end up with expired computer and user passwords in the AD backup
so how do you handle this?
Viktor
More information about the samba
mailing list