Diamonds are forever, but not Active Directory backups

Most systems administrators have the attitude that a backup is a backup. Once you've got a successful backup, you can restore from it months or even years later, if need be. In fact, that's the principle behind saving old backup copies as a reliability feature under backup schemes such as Grandfather-Father-Son or Tower of Hanoi.

But no matter how successful a backup is, it isn't permanent under Active Directory if you're using the Windows backup utility to back up a domain controller in a replicated environment. Under these circumstances, your backup won't work beyond the tombstone lifetime setting for the enterprise. The default value of the tombstone lifetime is 60 days. If the system state backup of Active Directory or the domain controller is older than that, you have a problem.

Apparently, Microsoft's reasoning is that because the system state can change so frequently, an Active Directory backup in a replicated environment will eventually be out of sync with the replicas. That may well be true, but that 60-day default value often presents storage administrators with a nasty surprise when they find their backup not working.

Of course, you should make backups more often than every 60 da

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Active Directory Backup and Restore How to build redundancy in Active Directory replication An alternate strategy for DNS server backup How do I add a backup domain controller in Windows NT? Tools for quick recovery of deleted Active Directory objects Active Directory disaster recovery: Protecting the enterprise from the administrator Creating Active Directory replicas from backup tapes How to use Install from Media to restore a domain controller Chapter of the Week: Active Directory Cookbook for Windows Server 2003 and Windows 2000 -- Chapter 16, 'Backup, recovery, DIT maintenance and deleted objects' Unable to restore critical information after moving user accounts via LDIF Tips for Active Directory DC backups Microsoft Windows Data Backup and Protection Microsoft Hyper-V: Best practices for performance, backups and management Working with snapshots in Microsoft Hyper-V Self-healing NTFS keeps admins one step ahead of data corruption The efficacy of backup-as-a-service solutions Using WBAdmin to create backups in Windows Server 2008 Breaking down the Windows Server Backup tool for Windows 2008 Moving dynamic disks to a new Windows server Developing a solid Windows Server 2008 backup and recovery strategy Backing up virtual servers: Top methods for Windows machines Backup and recovery for data migrated to networked storage Microsoft Windows Data Backup and Protection Research Active Directory Administration Using Active Directory to manage Macs in a Windows environment Troubleshooting poor Windows logon performance in Active Directory environments Common Active Directory security oversights Scripting domain controller installations: A must for Server Core Taming the LSASS.exe process for Active Directory performance and security Troubleshooting Active Directory database errors Active Directory database basics: Performing an offline defrag Branch office security: Pros and cons of read-only domain controllers Tips for Windows domain controller optimization How to rebuild the SYSVOL tree when none exists in Active Directory

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cold/warm/hot server  (SearchWindowsServer.com) Dolly  (SearchWindowsServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ys. However the tombstone lifetime setting "feature" can still come back to haunt you if you have to use an older backup (because the more recent ones have been corrupted). The same feature can also be a problem on computers that are built, and have software installed, at a staging site and then are shipped to another location to be used. If the process of getting the computer installed and running takes more than 60 days, you have a problem right from the very get-go.

If, however, every server in the domain has been destroyed, you can use an older backup to restore one server and then replicate that to the other servers in the domain. Microsoft discusses this situation, as well as how to set the default value of the tombstone lifetime for more than 60 days, in an online article Useful shelf life of a system-state backup of Active Directory.

This article originally appeared on SearchWinSystems.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.