This article describes the considerations for restoring Active Directory services on a Domain Controller using Replay.
The following Solution provides information and considerations for protecting and recovering an Active Directory.
See the following sections for information about protecting and recovering an Active Directory on a Domain Controller using Replay.
Microsoft offers two approaches for restoring Active Directory on Domain Controllers – authoritative and non‐authoritative. Replay uses non-authoritative restore to recover Active Directory on Domain Controllers. A non‐authoritative restore returns the Domain Controller to its state at the time of snapshot.
Active Directory then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After the target Domain Controller is restored to its previous system state, the Domain Controller queries its replication partners. The replication partners replicate any changes to the restored Domain Controller, ensuring that the Domain Controller has an accurate and updated copy of the Active Directory database.
A non-authoritative restore also allows the entire directory to be restored on a Domain Controller, without reintroducing or changing objects that have been modified since the backup. The most common use of a non-authoritative restore is to bring an entire Domain Controller back, often after catastrophic or debilitating hardware failures. It is uncommon for data corruption to drive a non-authoritative restore, unless the corruption is local and the database cannot be successfully loaded.
Non-authoritative restore is the default method for restoring Active Directory, and it is used in most situations that result from Active Directory data loss or corruption. Replay performs backups and recoveries at the volume block layer, therefore, it is not necessary to start the Domain Controller in Directory Services Restore Mode.
The Active Directory installation process creates three folders on the Domain Controller for the Active Directory database, the log files and the SYSVOL folder. For a detailed listing of the contents of the Active Directory database, refer to Appendix A. These folders must be on a fixed disk of the server formatted with NTFS file system and cannot be located on a shared resource on the network. In addition, the SYSVOL folder cannot be in the same path as the Database Path folder or Log Path folder.
The following lists the three folders and their roles:
|Database Path||Contains Active Directory data, including the Ntds.dit file, which stores the database in use on the domain controller.|
|Log Path Contains||The Active Directory logging and recovery system log file. Database operations are recorded in this log file, which can be used to restore a database after a system has failed.|
|SYSVOL||Stores the server copy of the domain’s public files, such as the SYSVOL shared folder.|
Active Directory Folders
For a faster recovery of an Active Directory Domain Controller, place the Operating System, Active Directory database and its Log files and the SYSVOL folders in separate volumes. Since Replay performs backups and recovery at the volume block layer, using separate volumes will ensure a faster recovery of the service.
The following table depicts the proposed layout.
|Drive Letter||Component||RAID Configuration|
|C:||Operating System + Page File||RAID 1 or RAID 0+1|
|D:||Active Directory Database and Log Files||RAID 1 or RAID 0+1|
|E:||SYSVOL||RAID 1 or RAID 0+1|
Proposed Folder Layout for Active Directory
In addition to the approach shown above, always deploy two Domain Controllers to support the Active Directory and split the cores-wide and domain-wide FSMO roles between the two servers.