Pagine

Backup - Domain controller 2008/2008R2

During last months we faced problems to backup various domain controller on 2008 R2.

The problem was, after first backup, next scheduled DC backup freezed and only forced reboot solved server unavailability. We worked on AV support but core problem was not there.

Here they are workarounds that solved problems and other notes about DC backups:

a.) Perform full backup like this workflow

To schedule daily backup of Active Directory Domain Services (AD DS) by using the graphical user interface (GUI)


1.     Click Start, click Administrative Tools, and then click Windows Server Backup.
2.     Click Action, and then click Backup Schedule.
3.     Review the information on the Getting Started page, and then click Next.
4.     Click Full Server (recommended), and then click Next.
5.     Specify a backup time, and then click Next.
6.     Click the check box for your destination disk, and then click Next.
7.     Click Yes to confirm that the destination disk will be reformatted.
8.     Verify the label for the destination disk, and then click Next.
9.     Verify the information on the Summary page, and then click Finish.
10.   On the Confirmation page, click Close.

b.) improve VSS space dedicated on drive C following this article






c.) Disable disk caching (optional but it should be done on all domain controllers)



Disable Time Synchronization
Active Directory domain controller has a built-in mechanism to deal with the time synchronization with the help of the Windows Time Service. Virtualization platforms also provide time service for Virtual Machines (VMs), but it is recommended to disable the Time Synchronization on each Virtual domain controller and let Active Directory manage the time synchronization between Virtual domain controllers.

Disable Disk Caching on Domain Controllers

For the "Disable the Disk Write Caching on the Policies Tab of all Disk Drives in virtual domain controller" setting, it is recommended to configure this setting for all the services which use Extensible Engine Storage (ESE) technology to avoid any data loss.
Disabling Disk caching ensures that data is actually written to the disk instead of keeping the data in volatile memory, which may be lost during a power failure or if the Host server crashes.

Do Not Pause

Pausing a virtual domain controller is not recommended, especially if the virtual domain controller is paused for an extended period of time beyond the Active Directory tombstone timeframe. Pausing can cause the Virtual domain controllers to get out of sync and can introduce lingering objects in the Active Directory environment.

Always Configure Fixed Hard or Pass-Through Disks for Virtual Domain Controllers

It is recommended to configure Fixed or Pass-through Disk type for storing domain controller's database (NTDS.DIT) and log files so that domain controllers operate more efficiently. Implementing one of the other types of disks (e.g. differencing disk virtual hard disks) will reduce the performance of virtual domain controllers.
Note: Pass-Through disk type is a feature of Microsoft Hyper-V and can be compared with a Raw disk as termed in the VMware Virtualization platform.

Do Not Clone The Domain Controller Virtual Machine

Most of the virtualization vendors provide the option for cloning the virtual machines for rapid deployment. It is highly recommended to avoid cloning a domain controller installation, though, unless you are using Windows Server 2012, which provides its own cloning feature.  Otherwise, if you need to do so, we would recommend using the SysPrep.exe tool, which prepares the operating system by removing the duplicate Security Identifiers (SID).


ß------------à

To help preserve the integrity of the Active Directory database if a power loss or another failure were to occur, the Active Directory service performs un-buffered writes and tries to disable the disk write cache on volumes hosting the Active Directory database and log files. Active Directory also attempts to work in this manner when installed in a virtual hosting environment.

If the virtual hosting environment software correctly supports a SCSI emulation mode that supports forced unit access (FUA), un-buffered writes that Active Directory performs in this environment are passed to the host operating system. If forced unit access is not supported, you must disable the write cache on all volumes of the guest operating system that host the Active Directory database, the logs, and the checkpoint file. 
ß------à

Microsoft article

·         You must disable the write cache for all components that use Extensible Storage Engine (ESE) as their database format. These components include Active Directory, the File Replication Service (FRS), Windows Internet Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP). 
·         As a best practice, consider installing uninterruptable power supplies on VM hosts.


An Active Directory domain controller requires regular system state backups to recover from user, hardware, software, or environmental problems. The default useful life of a system state backup is 60 or 180 days, depending on the operating system version and the service pack revision at play during the installation. This useful life is controlled by the tombstone lifetime attribute in Active Directory. At least one domain controller in every domain in the forest should be backed up every tombstone lifetime number of days.

In a production environment, you should make system state backups from two different DCs on a daily basis.

Virtualized DCs in clustered hosts 
In order for the nodes, disks and other resources on a clustered computer to auto-start, authentication requests from the clustered computer must be serviced by a DC in the cluster computer's domain.

To insure that such a DC exists during cluster OS startup, deploy at least 2 domain controllers in the clustered host computer's domain on physical hardware. The physical DCs should be kept online and be network accessible (in DNS + all required ports and protocols) to the clustered hosts. If the only DC’s that can service authentication request during cluster startup reside on a cluster computer that is being restarted, authentication requests will fail and manual recovery steps will be required to make the cluster operational.

Virtualized DCs may be placed on Cluster Shared Volumes (CSV) and non-CSV volumes. CSV disks cannot be brought online unless authentication request have been serviced by Active Directory. Non-CSV disks can be brought online without authentication. Because non-CSV disks can be brought online more easily, Microsoft recommends that files for virtualized domain controllers be placed on non-CSV disks.

Note: Always have at least one DC that is on physical hardware so that failover clusters and other infrastructure can start. When you host domain controllers on virtual machines that are managed by Windows Server 2008 R2 or by Hyper-V Server 2008 R2, we recommend that you store the virtual machine files on cluster disks that are not configured as Cluster Shared Volumes (CSV) disks. This allows for easier recovery in specific failure situations. If there is a site failure or a problem that causes the whole cluster to crash and the DC on physical hardware is not available, storing the virtual machine files on a non-CSV cluster disk should enable the cluster to start. In this situation, the disks that are required by the virtual machine can be brought online. This will let you start the virtual machine that hosts the domain controller. Then, you can bring CSV disks online and start other nodes. This process is required only if there are no other domain controllers available at the time that the cluster is started.

ß------à


Requirements for scheduling daily domain controller backups

The following conditions are requirements for scheduling daily domain controller backups:
  • The destination volume for the backup must be on a separate hard disk from the source volumes. You cannot perform a scheduled backup to a network shared folder.
  • The external storage device for the backup must be connected to the domain controller that you are backing up.
Membership in Builtin Administrators, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To schedule daily backup of Active Directory Domain Services (AD DS) by using the graphical user interface (GUI)


1.     Click Start, click Administrative Tools, and then click Windows Server Backup.
2.     Click Action, and then click Backup Schedule.
3.     Review the information on the Getting Started page, and then click Next.
4.     Click Full Server (recommended), and then click Next.
5.     Specify a backup time, and then click Next.
6.     Click the check box for your destination disk, and then click Next.
7.     Click Yes to confirm that the destination disk will be reformatted.
8.     Verify the label for the destination disk, and then click Next.
9.     Verify the information on the Summary page, and then click Finish.
10.   On the Confirmation page, click Close.