I'm currently reviewing my own backup strategy for Samba and I realize it is not in line with best practices provided in the Wiki. ( https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC) Said best practices, however, seem a bit like a nightmare to me. Assuming the AD is gone and you want to restore just one DC, and you want things to look just as they did before the crash, the process according to the Wiki looks as follows: 1. Install a Samba DC on a new (!) temporary host and provision the domain, just like you would when doing a new install from scratch. That task alone is tremendous. 2. Stop Samba and restore the AD from backup to this domain not (!) into the default Samba folder, advise Samba accordingly when starting it. 3. On the original host, set up a Samba DC and join the domain. 4. If GPO or scripts exist on sysvol, manually set up sysvol replication to get them to the original DC. 5. Remove the temporary host. Just... wow. :) Isn't there a simpler way of doing this? Namely, if all the restore operations are done offline anyway, why is it frowned upon to simply do everything on the original DC, i.e. forgo the temporary host, overwrite the configuration files (/etc/samba) and the local Samba folder (e.g. /var/lib/samba) with what's in the backup and be done with it? What's the difference between doing this and just restoring the whole machine running the DC bit for bit (dd backup and restore)? Viktor
On 10.02.2019 14:13, Viktor Trojanovic via samba wrote:> I'm currently reviewing my own backup strategy for Samba and I realize it > is not in line with best practices provided in the Wiki. ( > https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC) Said > best practices, however, seem a bit like a nightmare to me. > > Assuming the AD is gone and you want to restore just one DC, and you want > things to look just as they did before the crash, the process according to > the Wiki looks as follows: > > 1. Install a Samba DC on a new (!) temporary host and provision the domain, > just like you would when doing a new install from scratch. That task alone > is tremendous. > 2. Stop Samba and restore the AD from backup to this domain not (!) into > the default Samba folder, advise Samba accordingly when starting it. > 3. On the original host, set up a Samba DC and join the domain. > 4. If GPO or scripts exist on sysvol, manually set up sysvol replication to > get them to the original DC. > 5. Remove the temporary host. > > Just... wow. :) > > Isn't there a simpler way of doing this? Namely, if all the restore > operations are done offline anyway, why is it frowned upon to simply do > everything on the original DC, i.e. forgo the temporary host, overwrite the > configuration files (/etc/samba) and the local Samba folder (e.g. > /var/lib/samba) with what's in the backup and be done with it? What's the > difference between doing this and just restoring the whole machine running > the DC bit for bit (dd backup and restore)? > > ViktorHi folks, Thanks for bringing this up Viktor! I have got a bit of a bad conscience here. I have got a small domain, with around 10 users, and infrequent changes, and the AD DC resides on a virtual machine. A VM copy is what I do now and then. Hopefully it's sufficient... Best regards, Peter
On Sun, 10 Feb 2019 14:13:27 +0100 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I'm currently reviewing my own backup strategy for Samba and I > realize it is not in line with best practices provided in the Wiki. ( > https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC) > Said best practices, however, seem a bit like a nightmare to me. > > Assuming the AD is gone and you want to restore just one DC, and you > want things to look just as they did before the crash, the process > according to the Wiki looks as follows: > > 1. Install a Samba DC on a new (!) temporary host and provision the > domain, just like you would when doing a new install from scratch. > That task alone is tremendous. > 2. Stop Samba and restore the AD from backup to this domain not (!) > into the default Samba folder, advise Samba accordingly when starting > it. 3. On the original host, set up a Samba DC and join the domain. > 4. If GPO or scripts exist on sysvol, manually set up sysvol > replication to get them to the original DC. > 5. Remove the temporary host. > > Just... wow. :)Tend to agree with you, the wiki page asks this question 'So which backup should I use?' It then goes on to enumerate 5 different reasons why you would need a backup and seems to totally miss the point. Your domain has gone down and it is headless chicken time ;-) All you would want to do is to get your domain back up again as quickly as possible. I think you would only do '1' if you wanted to rename the domain. Not sure where you got restoring into a different folder from, I thought the restore put everything back to where it came from. You shouldn't have to do '4', the backup contains a copy of sysvol and smb.conf, so you should be able to restore to the DC it came from, it would just have to be the only DC and all DC's would have to be stopped, it would probably be better to rename the old DC before carrying out the restore.> > Isn't there a simpler way of doing this? Namely, if all the restore > operations are done offline anyway, why is it frowned upon to simply > do everything on the original DC, i.e. forgo the temporary host, > overwrite the configuration files (/etc/samba) and the local Samba > folder (e.g. /var/lib/samba) with what's in the backup and be done > with it? What's the difference between doing this and just restoring > the whole machine running the DC bit for bit (dd backup and restore)?If you are talking about stopping the DC and copying it (somehow), then this should work, but you would have to be aware that you would have to stop your DC regularly and that your backup would only be valid for the time you took it, anything between that backup and the next would be lost. Rowland
See comments inline. On Sun, 10 Feb 2019 at 16:33, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 10 Feb 2019 14:13:27 +0100 > Viktor Trojanovic via samba <samba at lists.samba.org> wrote: > > > I'm currently reviewing my own backup strategy for Samba and I > > realize it is not in line with best practices provided in the Wiki. ( > > https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC) > > Said best practices, however, seem a bit like a nightmare to me. > > > > Assuming the AD is gone and you want to restore just one DC, and you > > want things to look just as they did before the crash, the process > > according to the Wiki looks as follows: > > > > 1. Install a Samba DC on a new (!) temporary host and provision the > > domain, just like you would when doing a new install from scratch. > > That task alone is tremendous. > > 2. Stop Samba and restore the AD from backup to this domain not (!) > > into the default Samba folder, advise Samba accordingly when starting > > it. 3. On the original host, set up a Samba DC and join the domain. > > 4. If GPO or scripts exist on sysvol, manually set up sysvol > > replication to get them to the original DC. > > 5. Remove the temporary host. > > > > Just... wow. :) > > Tend to agree with you, the wiki page asks this question 'So which > backup should I use?' It then goes on to enumerate 5 different reasons > why you would need a backup and seems to totally miss the point. Your > domain has gone down and it is headless chicken time ;-) > All you would want to do is to get your domain back up again as quickly > as possible. >Yes. So I'm really glad I haven't encountered that page in a moment of true need! :-)> I think you would only do '1' if you wanted to rename the domain. > > Not sure where you got restoring into a different folder from, I > thought the restore put everything back to where it came from. > >I got both of this from the section "Restoring the backup-file" in the wiki. It says that if you're going to use the command "samba-tool domain backup restore", you *must not* specify a DC that has previously existed. Further, with regards to the files itself, it says that the Samba team recommends "that you restore the domain database into a different targetdir, and then use the '-s' option when running samba".> You shouldn't have to do '4', the backup contains a copy of sysvol and > smb.conf, so you should be able to restore to the DC it came from, it > would just have to be the only DC and all DC's would have to be > stopped, it would probably be better to rename the old DC before > carrying out the restore. > >As mentioned, at least to my understanding of the the wiki a restore of the original DC is not possible using the backup made from it. Are you saying that restoring to a "new DC" is as simple as changing the hostname of "DC1" to "DC1_1"? DNS, GPO, smb.conf would all automatically refer to the new hostname after the restore?> > > > Isn't there a simpler way of doing this? Namely, if all the restore > > operations are done offline anyway, why is it frowned upon to simply > > do everything on the original DC, i.e. forgo the temporary host, > > overwrite the configuration files (/etc/samba) and the local Samba > > folder (e.g. /var/lib/samba) with what's in the backup and be done > > with it? What's the difference between doing this and just restoring > > the whole machine running the DC bit for bit (dd backup and restore)? > > If you are talking about stopping the DC and copying it (somehow), then > this should work, but you would have to be aware that you would have to > stop your DC regularly and that your backup would only be valid for the > time you took it, anything between that backup and the next would be > lost. >Let's assume the DC is in a filesystem that allows snapshots, do I assume correctly that stopping samba would not be required in that case? With regards to information between 2 backups being lost, how is that different with other backup strategies, for example using samba-tool online backup? Viktor