[Samba] AD Backup Best Practice

Luke Barone lukebarone at gmail.com
Sun Feb 10 19:43:54 UTC 2019


In our organization, we tested the crap out of different backup methods
before rolling out AD. Here's what we tested and worked:

1. All DCs are VMs, on at least two different VM hosts (either running
Virtualbox, Xen or KVM)
2. All domains have at least two DCs
3. We shutdown (nicely) DC2, and backup the disk image and machine
definition file to our backup server
4. We turn on DC2 again.

Steps 3 and 4 are done via cron scripts

To restore, we expect DC1 and DC2 to have COMPLETELY been destroyed.
Otherwise, we spin up a new VM and join as another DC. When we restore from
complete failure, we take the nightly backup, and spin up the VM on a new
host. Done.

On Sun, Feb 10, 2019 at 11:32 AM Viktor Trojanovic via samba <
samba at lists.samba.org> wrote:

> On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba <
> samba at lists.samba.org>
> wrote:
>
> > On Sun, 10 Feb 2019 20:11:02 +0100
> > Viktor Trojanovic <viktor at troja.ch> wrote:
> >
> > > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba
> > > <samba at lists.samba.org> wrote:
> > >
> > > > On Sun, 10 Feb 2019 19:33:17 +0100
> > > > Viktor Trojanovic <viktor at troja.ch> wrote:
> > > >
> > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba
> > > > > <samba at lists.samba.org> wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > > The problem is that a Samba AD DC is constantly in flux, that
> > > > > > is, it changes constantly, if your 'snapshot' can guarantee it
> > > > > > is correct, then I see no problem, but you would only really
> > > > > > know when you tried to restore it.
> > > > > >
> > > > > > >With regards to information between 2 backups being lost, how
> > > > > > > is that different with other backup strategies, for example
> > > > > > > using samba-tool online backup?
> > > > > >
> > > > > > That is the problem with any AD DC backup method, the backups
> > > > > > can quickly become out of date.
> > > > > >
> > > > > >
> > > > > > You keep saying that but I can't quite wrap my head around it.
> > > > > > How exactly
> > > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10
> > > > > users, 10 computers, internal DNS and some GPOs and I'm not
> > > > > touching any of that anymore after the initial setup. Yes, users
> > > > > create their files, set permissions etc but that's all done on
> > > > > the filesystem of the member server and not in the AD itself,
> > > > > right? So what will have changed a week later on the DC?
> > > > >
> > > > > Viktor
> > > >
> > > > If all you have is 10 users, then your changes are going to be
> > > > small, but there will be changes, machine passwords could change
> > > > for instance. If a computers password changes 5 minutes after you
> > > > back up the domain and then a week later you restore from your
> > > > backup, the machine will not be able to connect to the domain, the
> > > > domain will expect the old password and the machine will be sending
> > > > the new one.
> > > >
> > > >
> > > Ok, that's a valid point but the computer pw is usually initiated
> > > every 30 days. Which brings me back to my question, if I set
> > > everything up on day x, meaning that user passwords don't expire for
> > > another 45 days and computer passwords remain valid for another 30
> > > days, make a backup on that same day, and restore the AD a week later
> > > without any intermediate backups, what will I have lost?  Sorry to
> > > belabor the point, I'll keep doing daily backups in any case, I'm
> > > just trying to figure out what I'm missing. :)
> > >
> > > Viktor
> >
> > In a small domain like yours, probably not much, the only real thing I
> > could think of would be user password changes, but in large domains you
> > couldn't really do what you are proposing.
> >
>
> Thanks Rowland, so far so clear, Tim will hopefully answer the other open
> questions. Out of curiosity, how do you deal with this kind of errors
> you're describing? In a large domain, I guess there is a really high chance
> you will end up with expired computer and user passwords in the AD backup
> so how do you handle this?
>
> Viktor
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list