[Samba] AD Backup Best Practice
Rowland Penny
rpenny at samba.org
Sun Feb 10 20:45:19 UTC 2019
On Sun, 10 Feb 2019 20:28:49 +0100
Viktor Trojanovic <viktor at troja.ch> wrote:
> On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>
> > On Sun, 10 Feb 2019 20:11:02 +0100
> > Viktor Trojanovic <viktor at troja.ch> wrote:
> >
> > > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba
> > > <samba at lists.samba.org> wrote:
> > >
> > > > On Sun, 10 Feb 2019 19:33:17 +0100
> > > > Viktor Trojanovic <viktor at troja.ch> wrote:
> > > >
> > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba
> > > > > <samba at lists.samba.org> wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > > The problem is that a Samba AD DC is constantly in flux,
> > > > > > that is, it changes constantly, if your 'snapshot' can
> > > > > > guarantee it is correct, then I see no problem, but you
> > > > > > would only really know when you tried to restore it.
> > > > > >
> > > > > > >With regards to information between 2 backups being lost,
> > > > > > >how
> > > > > > > is that different with other backup strategies, for
> > > > > > > example using samba-tool online backup?
> > > > > >
> > > > > > That is the problem with any AD DC backup method, the
> > > > > > backups can quickly become out of date.
> > > > > >
> > > > > >
> > > > > > You keep saying that but I can't quite wrap my head around
> > > > > > it. How exactly
> > > > > is the DC constantly in flux? Say I set up my small AD, one
> > > > > DC, 10 users, 10 computers, internal DNS and some GPOs and
> > > > > I'm not touching any of that anymore after the initial setup.
> > > > > Yes, users create their files, set permissions etc but that's
> > > > > all done on the filesystem of the member server and not in
> > > > > the AD itself, right? So what will have changed a week later
> > > > > on the DC?
> > > > >
> > > > > Viktor
> > > >
> > > > If all you have is 10 users, then your changes are going to be
> > > > small, but there will be changes, machine passwords could change
> > > > for instance. If a computers password changes 5 minutes after
> > > > you back up the domain and then a week later you restore from
> > > > your backup, the machine will not be able to connect to the
> > > > domain, the domain will expect the old password and the machine
> > > > will be sending the new one.
> > > >
> > > >
> > > Ok, that's a valid point but the computer pw is usually initiated
> > > every 30 days. Which brings me back to my question, if I set
> > > everything up on day x, meaning that user passwords don't expire
> > > for another 45 days and computer passwords remain valid for
> > > another 30 days, make a backup on that same day, and restore the
> > > AD a week later without any intermediate backups, what will I
> > > have lost? Sorry to belabor the point, I'll keep doing daily
> > > backups in any case, I'm just trying to figure out what I'm
> > > missing. :)
> > >
> > > Viktor
> >
> > In a small domain like yours, probably not much, the only real
> > thing I could think of would be user password changes, but in large
> > domains you couldn't really do what you are proposing.
> >
>
> Thanks Rowland, so far so clear, Tim will hopefully answer the other
> open questions. Out of curiosity, how do you deal with this kind of
> errors you're describing? In a large domain, I guess there is a
> really high chance you will end up with expired computer and user
> passwords in the AD backup so how do you handle this?
>
> Viktor
Luckily I haven't had to deal with this (yet), but I always run two
DC's. If I did have to restore from a backup, I would just have to
deal with the problems.
Rowland
More information about the samba
mailing list