-4

With 389-ds I can export my entire directory using db2ldif and import it into a new directory server using ldif2db without any issues; even in catastrophic failure situations.

Now, the question is with Active Directory; can I do the same thing without taking a full system backup? I want to backup the directory and that's it. Would stopping all AD services, and copying the NTDS files be sufficient?

  • 12
    I've never met anyone who had to actually do a restore who regretted doing too much work on their backups. I've met lots of people who regretted trying to do clever stuff like this, though. This is a really bad idea. – Rob Moir Apr 23 '12 at 05:28
  • 3
    Why would you want to do that? Backing up system state doesn't take up a lot of backup space. System state doesn't backup everything! – Bryan Apr 23 '12 at 07:01

2 Answers2

34

This is a terrific idea! Terrifically bad!

You'll need to backup your registry, SYSVOL folder, Ntds.dit, Edb.chk, Edb*.log, Res1.log and Res2.log. Oh, but that's not all! If there are other domain controllers in the domain you'll have to worry about non-authoritative versus authoritative restores. Just try doing that without a proper, "Microsoft Sanctioned" backup.

Let's Have Some Fun!

Since no one should ever consider their backups to be good enough until they've performed a fully functioning restoration, you go ahead and back up your Active Directory the way that you proposed above. Then, try and restore it. Tell us how it went.

I mean, you'll be performing full test restorations anyway, right?

We'll wait for your return.

Community
  • 1
Wesley
  • 32,690
  • 9
  • 82
  • 117
  • 8
    AD is very modular, you need the right support modules to make it work however. Which is what system state covers. It's <1GB, I'm really not sure why you're trying to mess with individual files. – Chris S Jun 27 '12 at 17:28
  • 8
    @user973917 Obviously, that's your decision to make, but if taking a system state backup is too much, then maybe you just shouldn't have computers at all. – MDMarra Jun 27 '12 at 17:34
  • 6
    You can certainly dump the database with ldifde. There's nothing stopping you from doing that. However, doing a system state backup allows for an authoritative restore. Unlike OpenLDAP which has a master node and slave nodes, AD uses multi-master peers which changes things a little. Honestly, it sounds like you have an anti-MS bias and are looking for an excuse to bash them. Taking a system state backup takes under 1 minute in most cases. It's **less** complex than backing up any other app you mentioned. Just because it's not what you're used to doesn't mean there's anything wrong with it. – MDMarra Jul 01 '12 at 23:46
3

Why not just use the built-in backup utility to do a backup of the system state? That will get all the key files that you need. It's not a full system backup, and it shouldn't be too large.

Bigbio2002
  • 2,823
  • 12
  • 35
  • 54