[Samba] domain backup online

timbeale at catalyst.net.nz timbeale at catalyst.net.nz
Thu Jul 18 22:29:55 UTC 2019

On 2019-07-18 18:11, Ivan Jurišić wrote:
> On 18. 07. 2019. 04:49, Tim Beale wrote:
>> Just to reiterate an important point, the 'domain backup' command is
>> there to backup your domain information, not your DC.
>  Any good suggestion for make full domain backup in online? (without
> stop service)?

The online backup is a full backup of your domain. You do not have to 
stop the Samba services to make an online backup.

>> If you want to recover your entire domain (i.e. power off all your
>> DCs
>> and start again from scratch), then that's when you restore from a
>> backup file.
> Any better way for recover domain? I have cc 1500 accounts on my
> domain and if going from scratch I will be on big mess with users and
> ther profiles.

You only start from scratch with respect to your DCs. The ~1500 user 
accounts are all stored in your backup-file.  So when you restore the 
backup, those users will all be present on the restored DC.

The point I'm trying to make is you don't use the backup-file when you 
need to recover a single DC. You use it when you need to recover *all* 
your DCs, i.e. your entire domain.

The AD domain database is distributed across the DCs. For example, let's 
say an admin inadvertently modifies or deletes an object in the database 
that breaks an AD service. This database change gets replicated out to 
all DCs, so now the service is broken across the whole domain. You can't 
just replace a DC to fix the problem, because the new DC will just end 
up with another distributed copy of the same broken database. If you 
don't know which of the 1000s of database objects is incorrect, the 
simplest solution might be to roll back to a known working copy of the 
domain database.
This is where the 'samba-tool domain backup restore' command comes in. 
You can't have two separate copies of the same domain database, so first 
you need to stop all the DCs that are using the broken copy of the 
domain database. Next, you restore a new/repurposed DC with the 
backed-up 'good' copy of the domain database. Then you rejoin the DCs 
and they receive the good copy of the database as well.
Note that you have to rejoin all the DCs - you can't just restart samba 
on the old DCs. Restarting samba (rather than rejoining) will mean the 
DC still uses the old broken copy of the database. You will then have 
two different domain databases in use, DCs operating at cross-purposes, 
and the whole thing will be a complete mess.

More information about the samba mailing list