On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 10 Feb 2019 19:33:17 +0100 > Viktor Trojanovic <viktor at troja.ch> wrote: > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > > > > > > > The problem is that a Samba AD DC is constantly in flux, that is, it > > > changes constantly, if your 'snapshot' can guarantee it is correct, > > > then I see no problem, but you would only really know when you tried > > > to restore it. > > > > > > >With regards to information between 2 backups being lost, how > > > > is that different with other backup strategies, for example using > > > > samba-tool online backup? > > > > > > That is the problem with any AD DC backup method, the backups can > > > quickly become out of date. > > > > > > > > > You keep saying that but I can't quite wrap my head around it. How > > > exactly > > is the DC constantly in flux? Say I set up my small AD, one DC, 10 > > users, 10 computers, internal DNS and some GPOs and I'm not touching > > any of that anymore after the initial setup. Yes, users create their > > files, set permissions etc but that's all done on the filesystem of > > the member server and not in the AD itself, right? So what will have > > changed a week later on the DC? > > > > Viktor > > If all you have is 10 users, then your changes are going to be small, > but there will be changes, machine passwords could change for instance. > If a computers password changes 5 minutes after you back up the domain > and then a week later you restore from your backup, the machine will > not be able to connect to the domain, the domain will expect the old > password and the machine will be sending the new one. > >Ok, that's a valid point but the computer pw is usually initiated every 30 days. Which brings me back to my question, if I set everything up on day x, meaning that user passwords don't expire for another 45 days and computer passwords remain valid for another 30 days, make a backup on that same day, and restore the AD a week later without any intermediate backups, what will I have lost? Sorry to belabor the point, I'll keep doing daily backups in any case, I'm just trying to figure out what I'm missing. :) Viktor
On Sun, 10 Feb 2019 20:11:02 +0100 Viktor Trojanovic <viktor at troja.ch> wrote:> On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > On Sun, 10 Feb 2019 19:33:17 +0100 > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba > > > <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > The problem is that a Samba AD DC is constantly in flux, that > > > > is, it changes constantly, if your 'snapshot' can guarantee it > > > > is correct, then I see no problem, but you would only really > > > > know when you tried to restore it. > > > > > > > > >With regards to information between 2 backups being lost, how > > > > > is that different with other backup strategies, for example > > > > > using samba-tool online backup? > > > > > > > > That is the problem with any AD DC backup method, the backups > > > > can quickly become out of date. > > > > > > > > > > > > You keep saying that but I can't quite wrap my head around it. > > > > How exactly > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10 > > > users, 10 computers, internal DNS and some GPOs and I'm not > > > touching any of that anymore after the initial setup. Yes, users > > > create their files, set permissions etc but that's all done on > > > the filesystem of the member server and not in the AD itself, > > > right? So what will have changed a week later on the DC? > > > > > > Viktor > > > > If all you have is 10 users, then your changes are going to be > > small, but there will be changes, machine passwords could change > > for instance. If a computers password changes 5 minutes after you > > back up the domain and then a week later you restore from your > > backup, the machine will not be able to connect to the domain, the > > domain will expect the old password and the machine will be sending > > the new one. > > > > > Ok, that's a valid point but the computer pw is usually initiated > every 30 days. Which brings me back to my question, if I set > everything up on day x, meaning that user passwords don't expire for > another 45 days and computer passwords remain valid for another 30 > days, make a backup on that same day, and restore the AD a week later > without any intermediate backups, what will I have lost? Sorry to > belabor the point, I'll keep doing daily backups in any case, I'm > just trying to figure out what I'm missing. :) > > ViktorIn a small domain like yours, probably not much, the only real thing I could think of would be user password changes, but in large domains you couldn't really do what you are proposing. Rowland
On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 10 Feb 2019 20:11:02 +0100 > Viktor Trojanovic <viktor at troja.ch> wrote: > > > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > On Sun, 10 Feb 2019 19:33:17 +0100 > > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba > > > > <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > > The problem is that a Samba AD DC is constantly in flux, that > > > > > is, it changes constantly, if your 'snapshot' can guarantee it > > > > > is correct, then I see no problem, but you would only really > > > > > know when you tried to restore it. > > > > > > > > > > >With regards to information between 2 backups being lost, how > > > > > > is that different with other backup strategies, for example > > > > > > using samba-tool online backup? > > > > > > > > > > That is the problem with any AD DC backup method, the backups > > > > > can quickly become out of date. > > > > > > > > > > > > > > > You keep saying that but I can't quite wrap my head around it. > > > > > How exactly > > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10 > > > > users, 10 computers, internal DNS and some GPOs and I'm not > > > > touching any of that anymore after the initial setup. Yes, users > > > > create their files, set permissions etc but that's all done on > > > > the filesystem of the member server and not in the AD itself, > > > > right? So what will have changed a week later on the DC? > > > > > > > > Viktor > > > > > > If all you have is 10 users, then your changes are going to be > > > small, but there will be changes, machine passwords could change > > > for instance. If a computers password changes 5 minutes after you > > > back up the domain and then a week later you restore from your > > > backup, the machine will not be able to connect to the domain, the > > > domain will expect the old password and the machine will be sending > > > the new one. > > > > > > > > Ok, that's a valid point but the computer pw is usually initiated > > every 30 days. Which brings me back to my question, if I set > > everything up on day x, meaning that user passwords don't expire for > > another 45 days and computer passwords remain valid for another 30 > > days, make a backup on that same day, and restore the AD a week later > > without any intermediate backups, what will I have lost? Sorry to > > belabor the point, I'll keep doing daily backups in any case, I'm > > just trying to figure out what I'm missing. :) > > > > Viktor > > In a small domain like yours, probably not much, the only real thing I > could think of would be user password changes, but in large domains you > couldn't really do what you are proposing. >Thanks Rowland, so far so clear, Tim will hopefully answer the other open questions. Out of curiosity, how do you deal with this kind of errors you're describing? In a large domain, I guess there is a really high chance you will end up with expired computer and user passwords in the AD backup so how do you handle this? Viktor