In the ever-evolving realm of disaster recovery, Windows Server 2008 has some interesting features related to Active
Directory that can have some important benefits for your company. As an IT manager, you must continually be on top of disaster recovery methods so that you can recover critical data in the event of hardware or software failure or human error and are able to restore infrastructure servers in a timely fashion. Good disaster recovery planning helps prevent – or at least minimize -- downtime and disruption to employees.
A good disaster recovery plan is critical for Active Directory because AD holds all the security mechanisms needed to access data, and it holds the infrastructure
together. In recent years, Microsoft has improved disaster recovery functions for Active Directory. In particular, Windows Server 2008 contains a number of new features worth evaluating for your disaster recovery plan.
The most glaring difference in Windows Server 2008 disaster recovery is the absence of the built-in backup tool, commonly known as NTBackup. This utility has been around since Windows NT on servers and clients. Administrators are intimately familiar with it, even though many may have their own third-party backup tools.
In Windows Server 2008, however, Microsoft made these important changes with its new backup tool called Windows Server Backup or WSB:
- It is not installed by default as NTBackup was. It is installed via the new Server Manager snap-in Features list. Figure 1 shows how WSB is presented in Server Manager in Windows Server 2008.
- It does not support tape devices. It is important to note that the APIs that support tape devices are still in the OS, so your third-party products will still work with tape devices.
- WSB supports backup to DVD.
- It uses Volume Copy Snapshot Services (VSS) to perform disk-to-disk backups, which is accomplished by backing up to a virtual hard disk, and it is quite efficient at compressing the data and storing changes. You may be familiar with the VHD because that is how virtual machines are stored, whether you use VMware or Microsoft's Virtual Server software. In Figure 1, the WSB console shows several backups that have been completed. You can use this interface to schedule backups and recover entire volumes, directories or just a single file. Backups are organized by date and time.
- WSB manages the disk space of the backup disk. The disk partition itself must be raw for WSB to use it. It then manages the backups and disk space. It will erase old backups when it needs space for new ones. In Figure 1, the volume backed up was about 7 GB, and the backup disk was 16 GB. Notice that after three backups, only about 12 GB of space was used. This gives you an idea of how it is stored.
Figure 1: How WSB is presented in Server Manager in Windows. (Click on image for enlarged view.)
- The WSB user interface allows you to back up an entire volume. You cannot back up individual files, folders or just the System State of the Operating System.
- The command line component for WSB -- WB Admin -- lets you back up only the System State rather than the entire volume. Active Directory is contained in the System State, and typically we don't back up the whole server. We back up only the System State for AD recovery, which can only be accomplished via the WBAdmin command line utility:
WBADMIN Start SystemStateBackup –backupTarget:D:
A similar command can be used to restore a particular version, identified by the date.
- It does not allow you to back up individual files and directories, but you can restore them from a volume backup.
One of the most important issues in Active Directory disaster recovery is restoring a domain controller or a global catalog server in a timely manner. In the case of a branch office on a slow network link, recovering a DC could take days to replicate the AD across the WAN. Windows Server 2003 gave us an option in DCpromo referred to as "Install From Media" or IFM, which allows promotion of a DC using the restored files from a previously backed-up DC. This is an advanced option in DCPromo that allows the DC to get the NTDS.DIT database from the local restored System State rather than going over the WAN to another DC. In one case, a DC promotion that took three days in Windows 2000 Server took only about 30 minutes in Windows Server 2003 using IFM.
Windows Server 2008 has a new feature in the NTDSUtil tool called IFM. As you might suspect, this makes some improvement on the Install From Media process. This feature allows you to create a system state backup using VSS just like Windows Server Backup would, all within NTDSUtil. You can then move the snapshot to the appropriate server.
Figure 2 shows an example of using NTDSUtil's IFM feature to create a snapshot of the AD, which also defragments the AD database in the process. This process is much faster and easier than a regular backup. In addition, this option permits you to create a backup for a read-only domain controller on a full-version domain controller. So you don't need an RODC to create the backup.
Figure 2: Using NTDSUtil's IFM feature to create a snapshot of the AD
Remember that Microsoft positioned System Center Data Protection Manager as an enterprise product for backing up application and user file data; it does support tape devices. WSB is not intended to be an enterprise-level product. Rather, it is a tool to back up and restore things like servers and domain controllers on a server-by-server basis.
The bottom line is that there is great value in Windows Server 2008's disaster recovery features. The manageability and efficiency of Windows Server Backup's VSS copies, as well as the ease of creating DC backups for DC recovery created by the new IFM option in NTDSutil make migration to Windows Server 2008 increasingly attractive.
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He wrote Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Olsen is a Microsoft MVP for Windows Server-File Systems.