So, I'm generally running my DC's in VM's on Xen [XCP-NG]. And I'm considering recovery from different disaster situations - say a crashed/corrupt DC. Or hardware failure. Yes, I could run a second VM with a second DC. But unless I setup another XCP server and put the VM on that - the biggest threat to the current VM/DC is the hardware it's running on. So, it really doesn't make a lot of sense to run a second DC on the same VM hardware, in an attempt to make it more resilient, IMO. I backup the VM's [XOA, in this case] - and was wondering about what the best recovery procedure would be. In short, restoring the VM from the XOA backup, in it's entirety, is quick and painless. [A hardware equivalent of DD'ing the disk to a new machine, I think.] I obviously get that if I restore a backup or snapshot from, say, a week ago - that any changes to AD since the backup will be lost. But lets assume I've not made any serious changes I really have to have to AD. Are there any other serious problems with restoring an earlier version of the AD VM that would really cause serious issues? [Obviously the original VM can't come back up, as that's going to cause all sorts of havoc - because we'll have two different AD-DC's that think they're authoritative for the domain. But outside of that...] I did a search of the list, but didn't find anything very specific easily. -Greg
Hi there, actually have the same setup. XCP-NG and DC on VMs. But as we have a pool we have multiple DC VMs. There are some additional things to consider. Am 14.07.20 um 01:25 schrieb Gregory Sloop via samba:> > I obviously get that if I restore a backup or snapshot from, say, a week ago - that any changes to AD since the backup will be lost.Any machine/PC that changes their machine password will have to be rejoined to the domain. Any users that have changed their password will have to remember their "old" password and change it again. Regards Christian -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
If your runing XEN (XCP-NG), which im also using. I use the automated snapshots, and this. https://docs.citrix.com/en-us/xencenter/7-1/vms-snapshots-export.html That should give an resonable backup. XOA, yes thats looks nice also, i never used it. If you have only 1 XEN server, i would just pickup an pc, or buy a second hand server and install XEN and run a second DC Or just add a second DC somewhere, save you in case of disaster recovery a lot of troubles. You can add one a a cloud, but the dont forget to configure the GPO's and then make sure you assign the server in lan for resolving and authenticion. The cloud one is then only the backup DC. Just an extra idea. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Gregory Sloop via samba > Verzonden: dinsdag 14 juli 2020 1:26 > Aan: samba at lists.samba.org > Onderwerp: [Samba] DC disaster recovery > > So, I'm generally running my DC's in VM's on Xen [XCP-NG]. > And I'm considering recovery from different disaster > situations - say a crashed/corrupt DC. Or hardware failure. > > Yes, I could run a second VM with a second DC. But unless I > setup another XCP server and put the VM on that - the biggest > threat to the current VM/DC is the hardware it's running on. > So, it really doesn't make a lot of sense to run a second DC > on the same VM hardware, in an attempt to make it more resilient, IMO. > > I backup the VM's [XOA, in this case] - and was wondering > about what the best recovery procedure would be. > > In short, restoring the VM from the XOA backup, in it's > entirety, is quick and painless. > [A hardware equivalent of DD'ing the disk to a new machine, I think.] > > I obviously get that if I restore a backup or snapshot from, > say, a week ago - that any changes to AD since the backup > will be lost. > > But lets assume I've not made any serious changes I really > have to have to AD. > Are there any other serious problems with restoring an > earlier version of the AD VM that would really cause serious issues? > > [Obviously the original VM can't come back up, as that's > going to cause all sorts of havoc - because we'll have two > different AD-DC's that think they're authoritative for the > domain. But outside of that...] > > I did a search of the list, but didn't find anything very > specific easily. > > -Greg > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill. So, it sounds like restores of the VM work "fine." How often do machine accounts reset their passwords? [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.] User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation. --- Offtopic: Louis re: XOA BTW, There's a script that allows you to run XOA community, and keep the XOA install up to date. I can't justify "paid" XOA for any of my clients, except for perhaps one - and even then it's a big stretch. XOA community is a great alternative for those smaller cases. (And I use very few of XOA's features - other than backup and keeping XCP up to date. -Greg LPHvBvs> If your runing XEN (XCP-NG), which im also using. LPHvBvs> I use the automated snapshots, and this. LPHvBvs> https://docs.citrix.com/en-us/xencenter/7-1/vms-snapshots-export.html LPHvBvs> That should give an resonable backup. LPHvBvs> XOA, yes thats looks nice also, i never used it. LPHvBvs> If you have only 1 XEN server, i would just pickup an pc, or buy a second hand server LPHvBvs> and install XEN and run a second DC Or just add a second DC somewhere, LPHvBvs> save you in case of disaster recovery a lot of troubles. LPHvBvs> You can add one a a cloud, but the dont forget to configure the GPO's and then LPHvBvs> make sure you assign the server in lan for resolving and authenticion. LPHvBvs> The cloud one is then only the backup DC. LPHvBvs> Just an extra idea. LPHvBvs> Greetz, LPHvBvs> Louis>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Gregory Sloop via samba >> Verzonden: dinsdag 14 juli 2020 1:26 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] DC disaster recovery>> So, I'm generally running my DC's in VM's on Xen [XCP-NG]. >> And I'm considering recovery from different disaster >> situations - say a crashed/corrupt DC. Or hardware failure.>> Yes, I could run a second VM with a second DC. But unless I >> setup another XCP server and put the VM on that - the biggest >> threat to the current VM/DC is the hardware it's running on. >> So, it really doesn't make a lot of sense to run a second DC >> on the same VM hardware, in an attempt to make it more resilient, IMO.>> I backup the VM's [XOA, in this case] - and was wondering >> about what the best recovery procedure would be.>> In short, restoring the VM from the XOA backup, in it's >> entirety, is quick and painless. >> [A hardware equivalent of DD'ing the disk to a new machine, I think.]>> I obviously get that if I restore a backup or snapshot from, >> say, a week ago - that any changes to AD since the backup >> will be lost.>> But lets assume I've not made any serious changes I really >> have to have to AD. >> Are there any other serious problems with restoring an >> earlier version of the AD VM that would really cause serious issues?>> [Obviously the original VM can't come back up, as that's >> going to cause all sorts of havoc - because we'll have two >> different AD-DC's that think they're authoritative for the >> domain. But outside of that...]>> I did a search of the list, but didn't find anything very >> specific easily.>> -Greg >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba-- Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x121 EMail: gregs at sloop.net http://www.sloop.net ---