a blog about nothing

When you take a System state backup of a DC it includes a backup of your SYSVOL with all your GPO’s. If a GPO get corrupted or is accidentally deleted you have to restore the System state to get the policy back. This operation is time consuming.

With the Group Policy Management Consol (GPMC) you can take backups of your GPO’s directly from the consol (and even restore them) which is less time consuming then a System state restore.

Even better are the scripts that follow with the GPMC. With them you can i.e. schedule a regular backup of all GPO’s.

I made a script that dumps the GPO’s to a file share, using some the scripts that followed with the installation of the GPMC.

Download the GPMC here for Win2003.

”””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””””

‘ Backup all GPO’s in the domain
‘ author: Rune Sørensen
‘ 14.04.2009 , v.1.0
‘
‘ Save the script as a vbs file and run it once or create a scheduled task
‘ runnning the script.
‘ \\server\share should reflect your servername and sharename

Dim fso, strPath, objShell

‘ Filepath to the share
strPath = “\\server\share\GPO_Backup\*”

Set fso = CreateObject(“Scripting.FileSystemObject”)
Set objShell = CreateObject(“Wscript.Shell”)

‘ Delete the last taken backup
fso.DeleteFile(strPath)
fso.DeleteFolder(strPath)

strExecuteBackup = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript BackupAllGPOs.wsf \\server\share\GPO_Backup”‘

strQueryBackups = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript QueryBackupLocation.wsf \\server\share\GPO_Backup > \\server\share\GPO_Backup\BackupLocations.txt”

strCreateReport = “cmd /c ” & “cd %programfiles%\gpmc\scripts\ && cscript GetReportsForAllGPOs.wsf \\server\share\GPO_Backup”

objShell.Run strExecuteBackup
WScript.Sleep (120000)

objShell.Run strQueryBackups
WScript.Sleep (60000)

objShell.Run strCreateReport
Set objShell = nothing
Set fso = nothing

””””””””””””””””””””” EOF ”””””””””””’

Assuming you have a 2003 DC SP1< and a good System state backup. Not older than your domains tombstone lifetime.

Start the DC in DSRM (F8 at boot)

fig.1

Start NTBackup

Restore Wizard > Next

Choose the System state backup file > Next > Advanced

Restore files to “Original Location”

Leave exsisting files > Next

fig.2

If you have only one DC in your domain. Tick the last checkbox (fig.2). If you have more than one, don’t tick it.

Press “Finish”

Do not restart the DC at this moment.

Mark the object as authoritative (meaning the object(s) will get replicated to other DC’s because it’s authoritative)

http://technet.microsoft.com/en-us/library/cc757068(WS.10).aspx

Open cmd >ntdsutil

> authoritative restore

> restore subtree destinguishedName

ie. An OU accidentally got deleted called “Reserves” holding all the Tottenhams reserves user objects. (What the heck. They aren’t good enough for the first team, but maybe someday they will so let’s get them back).

fig.3

> quit

Restart the DC in normal mode (SP1 or newer). The AD Replication will do the job to get the OU and the user objects replicated to the other DC’s in the domain.

If you have a Windows 2003 SP1 or newer DC, the ntdsutil will create two files if the restored user object have any back-links to group membership. If they do you have to restore the back-link aswell. But wait until all DC’s have got the users replicated.

Syntax: ldifde -i -f <ar*.ldf>

ie: ldifde -i -f ar_20100129-081113_links_spurs.local.ldf

If you have a Win2008 R2 domain and restore a user from the Recycle Bin you don’t have to worry about the back-links. The process will do it for you.

When the Tottenham manager (FYI: Harry Redknapp) picks his starting 11 before a match, he also chooses 7 additional players to sit on the bench. As backups. If ie. a player gets injured during the game, he always have a backup he can use that is sitting on the bench. Just waiting to be substituted.

What do you do if you got a flat tire in the middle of nowhere, and you find out that there isn’t a spare tire in the trunk? “Sh*t, I thought I had a backup!”

An OU with dozen of user objects can accidentally be deleted. Your single DC in the domain can say goodnight anytime (yeah right, who has the guts enough to have a single DC in his domain?!). Your SYSVOL with all your fancy GPOs vanished. “Hey! Where did they go?”

So, just like everything else, a good backup can be very good to have. Even in the Active Directory world. I quote Instan at the Microsoft CSS/PSS:

As my grandfather used to say, “it’s better to have a backup you don’t need than to need a backup you don’t have”

http://blogs.technet.com/instan/default.aspx

If you don’t have a backup routine of your domain controller, then now is a good time to implement it.

A quick way to see when the last backup occurred. Open cmd and type:

repadmin /showbackup *

(Repadmin is part of the Windows 2000/2003 support tools)
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

I have scheduled a System state backup running every night on three of my DC’s in the domain using NTbackup (or Windows backup). (We also have a Tivoli backup running that backup the entire server…Paranoid you know 😮
I store the backup files on a network share for easy access (by the admin *).

The name you give the backup file can be in great help for other admins to do a restore.

Naming of the backup file: http://technet.microsoft.com/en-us/library/cc785766(WS.10).aspx

Schedule System state backup: http://technet.microsoft.com/en-us/library/cc759092(WS.10).aspx

If you at least have a System state backup and a disaster do occur. Then you’ll probably be able to restore your domain back on track. Just be sure that backup file have not exceeded your domain Tombstone Lifetime (60 or 180 days).

* Security around how to protect the backup is out of the scope for this entry.