On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 10 Feb 2019 20:11:02 +0100 > Viktor Trojanovic <viktor at troja.ch> wrote: > > > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > > On Sun, 10 Feb 2019 19:33:17 +0100 > > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba > > > > <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > > The problem is that a Samba AD DC is constantly in flux, that > > > > > is, it changes constantly, if your 'snapshot' can guarantee it > > > > > is correct, then I see no problem, but you would only really > > > > > know when you tried to restore it. > > > > > > > > > > >With regards to information between 2 backups being lost, how > > > > > > is that different with other backup strategies, for example > > > > > > using samba-tool online backup? > > > > > > > > > > That is the problem with any AD DC backup method, the backups > > > > > can quickly become out of date. > > > > > > > > > > > > > > > You keep saying that but I can't quite wrap my head around it. > > > > > How exactly > > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10 > > > > users, 10 computers, internal DNS and some GPOs and I'm not > > > > touching any of that anymore after the initial setup. Yes, users > > > > create their files, set permissions etc but that's all done on > > > > the filesystem of the member server and not in the AD itself, > > > > right? So what will have changed a week later on the DC? > > > > > > > > Viktor > > > > > > If all you have is 10 users, then your changes are going to be > > > small, but there will be changes, machine passwords could change > > > for instance. If a computers password changes 5 minutes after you > > > back up the domain and then a week later you restore from your > > > backup, the machine will not be able to connect to the domain, the > > > domain will expect the old password and the machine will be sending > > > the new one. > > > > > > > > Ok, that's a valid point but the computer pw is usually initiated > > every 30 days. Which brings me back to my question, if I set > > everything up on day x, meaning that user passwords don't expire for > > another 45 days and computer passwords remain valid for another 30 > > days, make a backup on that same day, and restore the AD a week later > > without any intermediate backups, what will I have lost? Sorry to > > belabor the point, I'll keep doing daily backups in any case, I'm > > just trying to figure out what I'm missing. :) > > > > Viktor > > In a small domain like yours, probably not much, the only real thing I > could think of would be user password changes, but in large domains you > couldn't really do what you are proposing. >Thanks Rowland, so far so clear, Tim will hopefully answer the other open questions. Out of curiosity, how do you deal with this kind of errors you're describing? In a large domain, I guess there is a really high chance you will end up with expired computer and user passwords in the AD backup so how do you handle this? Viktor
In our organization, we tested the crap out of different backup methods before rolling out AD. Here's what we tested and worked: 1. All DCs are VMs, on at least two different VM hosts (either running Virtualbox, Xen or KVM) 2. All domains have at least two DCs 3. We shutdown (nicely) DC2, and backup the disk image and machine definition file to our backup server 4. We turn on DC2 again. Steps 3 and 4 are done via cron scripts To restore, we expect DC1 and DC2 to have COMPLETELY been destroyed. Otherwise, we spin up a new VM and join as another DC. When we restore from complete failure, we take the nightly backup, and spin up the VM on a new host. Done. On Sun, Feb 10, 2019 at 11:32 AM Viktor Trojanovic via samba < samba at lists.samba.org> wrote:> On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba < > samba at lists.samba.org> > wrote: > > > On Sun, 10 Feb 2019 20:11:02 +0100 > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba > > > <samba at lists.samba.org> wrote: > > > > > > > On Sun, 10 Feb 2019 19:33:17 +0100 > > > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba > > > > > <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > The problem is that a Samba AD DC is constantly in flux, that > > > > > > is, it changes constantly, if your 'snapshot' can guarantee it > > > > > > is correct, then I see no problem, but you would only really > > > > > > know when you tried to restore it. > > > > > > > > > > > > >With regards to information between 2 backups being lost, how > > > > > > > is that different with other backup strategies, for example > > > > > > > using samba-tool online backup? > > > > > > > > > > > > That is the problem with any AD DC backup method, the backups > > > > > > can quickly become out of date. > > > > > > > > > > > > > > > > > > You keep saying that but I can't quite wrap my head around it. > > > > > > How exactly > > > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10 > > > > > users, 10 computers, internal DNS and some GPOs and I'm not > > > > > touching any of that anymore after the initial setup. Yes, users > > > > > create their files, set permissions etc but that's all done on > > > > > the filesystem of the member server and not in the AD itself, > > > > > right? So what will have changed a week later on the DC? > > > > > > > > > > Viktor > > > > > > > > If all you have is 10 users, then your changes are going to be > > > > small, but there will be changes, machine passwords could change > > > > for instance. If a computers password changes 5 minutes after you > > > > back up the domain and then a week later you restore from your > > > > backup, the machine will not be able to connect to the domain, the > > > > domain will expect the old password and the machine will be sending > > > > the new one. > > > > > > > > > > > Ok, that's a valid point but the computer pw is usually initiated > > > every 30 days. Which brings me back to my question, if I set > > > everything up on day x, meaning that user passwords don't expire for > > > another 45 days and computer passwords remain valid for another 30 > > > days, make a backup on that same day, and restore the AD a week later > > > without any intermediate backups, what will I have lost? Sorry to > > > belabor the point, I'll keep doing daily backups in any case, I'm > > > just trying to figure out what I'm missing. :) > > > > > > Viktor > > > > In a small domain like yours, probably not much, the only real thing I > > could think of would be user password changes, but in large domains you > > couldn't really do what you are proposing. > > > > Thanks Rowland, so far so clear, Tim will hopefully answer the other open > questions. Out of curiosity, how do you deal with this kind of errors > you're describing? In a large domain, I guess there is a really high chance > you will end up with expired computer and user passwords in the AD backup > so how do you handle this? > > Viktor > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sun, 10 Feb 2019 at 20:46, Luke Barone via samba <samba at lists.samba.org> wrote:> In our organization, we tested the crap out of different backup methods > before rolling out AD. Here's what we tested and worked: > > 1. All DCs are VMs, on at least two different VM hosts (either running > Virtualbox, Xen or KVM) > 2. All domains have at least two DCs > 3. We shutdown (nicely) DC2, and backup the disk image and machine > definition file to our backup server > 4. We turn on DC2 again. > > Steps 3 and 4 are done via cron scripts > > To restore, we expect DC1 and DC2 to have COMPLETELY been destroyed. > Otherwise, we spin up a new VM and join as another DC. When we restore from > complete failure, we take the nightly backup, and spin up the VM on a new > host. Done.Thanks for this real-life example. I'm curious, since you say that both DCs are in a VM and you tested various methods, have you tried using snapshots instead of powering down DC2? Viktor
On Sun, 10 Feb 2019 20:28:49 +0100 Viktor Trojanovic <viktor at troja.ch> wrote:> On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > On Sun, 10 Feb 2019 20:11:02 +0100 > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba > > > <samba at lists.samba.org> wrote: > > > > > > > On Sun, 10 Feb 2019 19:33:17 +0100 > > > > Viktor Trojanovic <viktor at troja.ch> wrote: > > > > > > > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba > > > > > <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > The problem is that a Samba AD DC is constantly in flux, > > > > > > that is, it changes constantly, if your 'snapshot' can > > > > > > guarantee it is correct, then I see no problem, but you > > > > > > would only really know when you tried to restore it. > > > > > > > > > > > > >With regards to information between 2 backups being lost, > > > > > > >how > > > > > > > is that different with other backup strategies, for > > > > > > > example using samba-tool online backup? > > > > > > > > > > > > That is the problem with any AD DC backup method, the > > > > > > backups can quickly become out of date. > > > > > > > > > > > > > > > > > > You keep saying that but I can't quite wrap my head around > > > > > > it. How exactly > > > > > is the DC constantly in flux? Say I set up my small AD, one > > > > > DC, 10 users, 10 computers, internal DNS and some GPOs and > > > > > I'm not touching any of that anymore after the initial setup. > > > > > Yes, users create their files, set permissions etc but that's > > > > > all done on the filesystem of the member server and not in > > > > > the AD itself, right? So what will have changed a week later > > > > > on the DC? > > > > > > > > > > Viktor > > > > > > > > If all you have is 10 users, then your changes are going to be > > > > small, but there will be changes, machine passwords could change > > > > for instance. If a computers password changes 5 minutes after > > > > you back up the domain and then a week later you restore from > > > > your backup, the machine will not be able to connect to the > > > > domain, the domain will expect the old password and the machine > > > > will be sending the new one. > > > > > > > > > > > Ok, that's a valid point but the computer pw is usually initiated > > > every 30 days. Which brings me back to my question, if I set > > > everything up on day x, meaning that user passwords don't expire > > > for another 45 days and computer passwords remain valid for > > > another 30 days, make a backup on that same day, and restore the > > > AD a week later without any intermediate backups, what will I > > > have lost? Sorry to belabor the point, I'll keep doing daily > > > backups in any case, I'm just trying to figure out what I'm > > > missing. :) > > > > > > Viktor > > > > In a small domain like yours, probably not much, the only real > > thing I could think of would be user password changes, but in large > > domains you couldn't really do what you are proposing. > > > > Thanks Rowland, so far so clear, Tim will hopefully answer the other > open questions. Out of curiosity, how do you deal with this kind of > errors you're describing? In a large domain, I guess there is a > really high chance you will end up with expired computer and user > passwords in the AD backup so how do you handle this? > > ViktorLuckily I haven't had to deal with this (yet), but I always run two DC's. If I did have to restore from a backup, I would just have to deal with the problems. Rowland