samba - Nov 2013 - Backup of virtualized Samba4 AD

Hi there,

current situation: we have a Samba4 AD running on a VMware ESX-Cluster 
(ha/failover, ha-nfs-stores).

I'm doing backups with ghetto VCB. Until now I only did 
"Snapshot-backups". But I know, that this way of backups is not the
best
way for domaincontrollers.

I'm now planning to do backups by shutting down the VM, then doing 
backup and then starting machine again.

Maybe someone can give me some hints, which backupsoftware to use or 
what to consider in this topic.

Some time ago I had an error, that a client couldn't connect to AD 
("Could not determin trust relation"... something like that was the 
errormessage).

I'd like to avoid inconsitencies. Example:

- SAMBA4 shut down
- SAMBA4 backup
- SAMBA4 start
- HERE SOMETHING CAN OCCUR... WELL MAYBE
- Server, which is connected to domain as a client, shut down
- Server backup
- Server start

In this scenario it could be the case, that the client is doing 
something with the domaincontroller (where i wrote HERE SOMETHING 
CAN:......).
Do you think restoring the Backup of SAMBA4 and the Server could be a 
Problem, or should this be no problem at all?

I'm aware that I have to be carefull in a multiple AD-Server situation. 
But I'm unsure if there would be inconsistency problems in a AD-Clients 
situation....

Kind regards
Uli

Hello Ulrich,

Am 19.11.2013 12:17, schrieb Ulrich Schinz:
> current situation: we have a Samba4 AD running on a VMware ESX-Cluster
> (ha/failover, ha-nfs-stores).
>
> I'm doing backups with ghetto VCB. Until now I only did
> "Snapshot-backups". But I know, that this way of backups is not
the best
> way for domaincontrollers.
>
> I'm now planning to do backups by shutting down the VM, then doing
> backup and then starting machine again.
>
> Maybe someone can give me some hints, which backupsoftware to use or
> what to consider in this topic.
>
> Some time ago I had an error, that a client couldn't connect to AD
> ("Could not determin trust relation"... something like that was
the
> errormessage).
>
> I'd like to avoid inconsitencies. Example:
>
> - SAMBA4 shut down
> - SAMBA4 backup
> - SAMBA4 start
> - HERE SOMETHING CAN OCCUR... WELL MAYBE
> - Server, which is connected to domain as a client, shut down
> - Server backup
> - Server start
>
> In this scenario it could be the case, that the client is doing
> something with the domaincontroller (where i wrote HERE SOMETHING
> CAN:......).
> Do you think restoring the Backup of SAMBA4 and the Server could be a
> Problem, or should this be no problem at all?
>
> I'm aware that I have to be carefull in a multiple AD-Server situation.
> But I'm unsure if there would be inconsistency problems in a AD-Clients
> situation....

I think, there is no difference if you backup a Samba VM or a real host.

For a single DC environment, have a look here:
http://wiki.samba.org/index.php/Backup_and_Recovery
That's all you need.

In a multiple DC environment, like you have, you can use the above Wiki 
page to create backups of them, too. But whenever at least one DC is up 
and the domain is fine, then never restore databases on a broken DC and 
connect it to your network again! You will break you whole domain! It is 
the same, when you restore a VM snapshot! Demote the machine, setup a 
fresh Samba DC installation and join it to the domain again as DC. The 
directory replication will bring everything back in sync.

If all DC are broken (total disaster case, we will hopefully never 
have), then restore the backups you've made according to the backup 
HowTo to _one_ machine, startup Samba AD, demote all other DC, setup all 
other DC fresh and join them as DC again. If you have all FSMO roles on 
one machine, then I would suggest to restore on this one. If not, then 
maybe someone else can give some more points, what would be the best 
machine to restore and allocate them again.


Regards,
Marc