Windows 7

Configuring Role-Specific Backups

The roles assigned to a server can dramatically impact its configuration as well as the frequency and type of backup needed to restore it in the future.

As part of your overall backup strategy, take into consideration the roles installed on each of your servers. As you learned, the role performed by the server can have an impact on how you approach the backup and eventually the restore of the server. Let's take a closer look at some of these roles and what can be done to back them up.

BACKING UP DHCP AND DNS

The Dynamic Host Configuration Protocol (DHCP) database contains information about IP address leases, reservations, scopes, scope options, and DHCP registry key settings. It's backed up automatically at 60-minute intervals to the %systemroot%\System32\Dhcp\Backup directory. It is also backed up as part of a system state or full backup, and by using the DHCP Manager console.

You can back up DHCP via the DHCP Manager console by performing the following steps:

  1. Open the DHCP Manager console.
  2. Select the DHCP Server that contains the scopes you want to back up.
  3. Select Action → Backup.
  4. Browse to the folder where you want to store the backup and click OK. By default this will be the %systemroot%\Windows\System32\Dhcp\Backup.
  5. Click OK.

Active Directory-integrated DNS zone configuration information is stored in the registry; therefore, it's also backed up as part of the system state and during full backups. In situations where you have a corrupted or failing DNS, you can recover it only by restoring the entire system state, which might or might not be what you want to do. An alternative is to use DNSCMD with the /zoneexport switch to export the Active Directory-integrated zones to a file you can back up. This file can be restored as a primary zone file and then converted into an Active Directory-integrated zone if necessary.

The following command creates a copy of the DNS zone contoso.com in the %systemroot%\system32\dns\backup\contoso.com.dns.bak file.

DNSCMD /zoneexport contoso.com \backup\contoso.com.dns.bak

The XCOPY command can be used to back up primary and secondary zone files to a backup folder you specify.

Example: XCOPY %systemroot%\system32\dns c:\backups\dns /y

The command backs up all zone text files into the c:\backups folder.

You can then restore them by using XCOPY to copy the backup to the %systemroot%\system32\Dns folder.

BACKING UP WINS

The Windows Internet Name Service (WINS) maintains a distributed database used to register and query dynamic mappings of NetBIOS names for computers and groups. It maps NetBIOS names to IP addresses. Although the database is backed as part of system state and full backups, you can also back up the WINS database from the WINS console.

Because most of the entries in the database are dynamically entered by the servers and workstations, the only reason to back it up would be if you had created static entries in the WINS database. You can back up the WINS database by performing the following steps:

  1. Open the WINS console.
  2. Right-click the WINS Server.
  3. Select Back Up Database.
  4. Browse to the folder where you want to store the backup and click OK . By default this will be %systemroot%\Windows\System32\WINS.
  5. Click OK.

BACKING UP CERTIFICATE SERVICES

Certificate Services stores a database in the C:\Windows\system32\Certlog location by default. When certificates are issued to users and computers, the associated information is maintained in the Certificate Services database.

If this database becomes corrupted or is accidentally deleted, certificates issued by the server will be considered invalid. Although Certificate Services is backed as part of a system state and a full backup, you can also back it up via the Certificate Services console by performing the following steps:

  1. Open the Certificate Service console.
  2. Right-click the server and select All Tasks → Backup CA ...
  3. Select Next to start the Certification Authority Wizard.
  4. Select Private Key and CA Certificate and the Certificate database and certificate database log options.
  5. Enter C: \Windows\System32\CABackup and click Next.
  6. Click OK to create the directory.
  7. Enter and confirm a password to gain access to the private key and the CA certificate file and click Next.
  8. Click Finish to back up the Certificate Authority.

BACKING UP ACTIVE DIRECTORY DOMAIN SERVICES

Active Directory is backed up as part of system state and full backups. The components included in the system state are as follows:

  • System startup (boot) files:
    These files are required to boot Windows.
  • System registry:
    This contains registry files that include information about the system hardware, low-level operating system components, and installed programs and their settings.
  • COM 1 Class registration database:
    The Component Object Model (COM) is a standard for writing component software in a distributed systems environment. COM uses the registry database for storing component registration information. The database supports a VSS writer allowing VSS requesters to back up the database on a shadowcopied volume.
  • System volume (SYSVOL):
    This folder, on a domain controller, contains the net logon shared folders used to host user logon scripts and policy settings for pre-Windows 2000 network clients. The user logon scripts for Active Directory-enabled clients, system policies, group policy settings, and the File Replication service (FRS) directories used to stage directories and files that must be available and synchronized between domain controllers.
  • Active Directory:
    This includes the Active Directory database (ntds.dit), the checkpoint file (edb.chk), transaction logs (edb*.log), and the reserved transaction logs (Res1.log and Res2.log).

In most Active Directory environments, changes to user passwords, computer accounts, and other domain objects occur on a daily basis. When performing restores, you return the domain controller back to a former state, which can affect authentication and replication; therefore, the more frequently you back up domain controllers, the fewer problems you will encounter after a restore. In general, back up your domain controller at least once per day. In situations where you are upgrading a domain controller or installing a new service pack or hotfix, perform a backup immediately.

Another common mistake regarding Active Directory is the deletion of Active Directory objects by accident. For example, if you delete an organizational unit (OU) by mistake that just happens to contain multiple user accounts, the deletion will be replicated to all other domain controllers. When this happens, you need to perform an authoritative restore to return the OU to its original state. This involves restoring the system state and using the Ntdsutil tool. Fortunately, with the release of Windows Server 2008R2 and Windows Server 2012, there is a more efficient way to handle the restoring of deleted Active Directory objects without having to restore the system state. It's called the Active Directory Recycle Bin.

ENABLING THE ACTIVE DIRECTORY RECYCLE BIN

To use Active Directory Recycle Bin, your forest functional level should be set to at least Windows Server 2008 R2 or greater and all domain controllers must be running Windows Server 2008R2 or Windows Server 2012. This can be confirmed by selecting Server Manager → Tools → Active Directory Administrative Center . In the following article, you confirm the functional level and enable the Active Directory Recycle Bin.

ENABLE THE ACTIVE DIRECTORY RECYCLE BIN

To enable the Active Directory Recycle Bin on RWDC01, perform the following steps:

  1. Log in to the RWDC01 with administrative privileges.
  2. Select Server Manager → Tools → Active Directory Administrative Center.
  3. Right-click the domain name contoso (local) and select Properties.
  4. Confirm the forest functional level is set to at least Windows Server 2008 R2 or later and click Cancel.
  5. Right-click the domain name contoso (local) and select Enable Recycle Bin.
  6. Click OK when prompted; you cannot disable the feature.
  7. Select OK to refresh the Active Directory Administrative Center.
  8. Open Windows PowerShell.
  9. Type the following to confirm that the Active Directory Recycle Bin is enabled:

    Get-ADOptionalFeature -fi lter *

  10. Confirm that a partition is listed for the EnabledScopes parameter: 
        EnabledScopes
    ;{CN 5 Partitions,CN 5 Confi guration,DC 5 contoso,DC 5 com
    , CN 5 NTDS
    Settings,CN 5 RWDC01,CN 5 Servers,CN 5 Default-First-
    Site-Name,CN 5 Sites,
    CN 5 Confi guration,DC 5 contoso,DC 5 com
If EnabledScopes shows < >, then Active Directory Recycle Bin is not enabled.

PROTECTING ACTIVE DIRECTORY OBJECTS FROM DELETION

To further protect against the accidental deletion of objects in Active Directory (Computers, OUs, and Users), Windows Server 2012 provides the "protect from accidental deletion" option. This setting can be found by opening the Active Directory Administration Center, right-clicking the object, and selecting Properties.

To streamline the process of protecting OUs, you can use the following Windows PowerShell cmdlet to determine which OUs are not protected from deletion:

Get-ADOrganizationalUnit -filter * -Properties
ProtectedfromAccidentalDeletion | where {$_.
ProtectedFromAccidentalDeletion -eq $false} |ft
name,DistinguishedName -AutoSize
Note:
In this article, you back up to a remote share (\\Server02\ADbackup) in which network backups will save only the latest version of the backup. This is used only for training purposes. In a production environment, you back up to attached disks that are rotated offsite to provide additional security and protection. It's also recommend that you perform a scheduled full backup to occur on a daily basis for your domain controllers.

PERFORM A BACKUP OF THE SYSTEM STATE OF AN ACTIVE DIRECTORY DOMAIN CONTROLLER USING WBADMIN

To complete a backup of the system state on RWDC01, perform the following steps:

  1. Log in to the RWDC01 with administrative privileges.
  2. Start Windows PowerShell , enter the following commands to install Windows Server Backup, press Enter after each command. If Windows Server Backup is already installed, you can skip this step.

    PS C:\Add-WindowsFeature Windows-Server-Backup PS C:\Exit

  3. Open a command prompt and type the following to perform a system state backup of the domain controller using wbadmin:

    wbadmin start backup systemstatebackup -backuptarget:\\server02\ADbackup -quiet

  4. Type Exit to close the command window after the backup operation successfully completes.
  5. Browse to the share on \\server02\ADbackup to view the fi les/folders created as part of the system state backup of the domain controller.
[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring and Managing Windows Server Backups
  2. Configuring Windows Server Backups
  3. Configuring Windows Online Backup
  4. Configuring Role-Specific Backups
  5. Managing VSS Settings Using VSSAdmin
  6. Creating System Restore Snapshots