12

Why should you not restore a DC that was backed up 6 months ago?

As I am learning Active Directory Domain Services I came across this question in one of the blogs but I was unable to find a detailed answer. So please can anybody explain this concept to me.

psmears
  • 330
  • 1
  • 6
user416535
  • 129
  • 1
  • 3
  • 5
    Because you should have more recent backups? – Craig Watson May 22 '17 at 07:18
  • Unless... all the more recent backups were on the same nuclear deposition area, making this singular off-site backup the only usable backup of the last DC. On _force majeure_ cases no-one would blame you for not having a backup for the unexpected. For anything less you should have regular and automated backups. – Esa Jokinen May 22 '17 at 11:12
  • 2
    regular, automated, **monitored** *and* **tested**. You really don't want to realize that your backup is failing for 3 month or cannot be restored at the very moment you absolutely need it. – JFL May 22 '17 at 12:49
  • Many years ago I restored an ancient NT4 AD server to some spare kit, dumped the parts of the AD needed, and then massaged them in a text editor. Could have imported that massaged data into the live server, but that wasn't needed. Memory's getting woolly after ~17 years, can't think of the software's name sorry. – Criggie Jun 08 '17 at 07:49

2 Answers2

17

There is a thing called tombstone lifetime in Active Directory. When you delete an object in Active Directory it is not immediately gone, it is converted to a tombstone and this information is replicated to the other DCs. When the tombstone lifetime is reached the object will be purged. If you restore prior to a state before the deletion and the tomsbtone is not replicated to the restored DC before it expires, the object will remain present in your restored DC but not in the other DCs. Now you have inconsistent data. Default tomsbtone lifetime for Server 2008 and onwards is 180 days (= 6 months).

duenni
  • 2,939
  • 1
  • 22
  • 38
  • 7
    It can be restored if it is the only domain controller in the domain. If it isn't the only DC the restore is irrelevant because the other domain controllers will not replicate with a restored DC that is older than TSL. There also aren't any practical cases to restore a DC if other DC's are available, unless the entire domain/forest is smoked. In that case, they wouldn't keep any of the existing DC's, but would restore the old backup to one DC, and promote all new DC's. – Greg Askew May 22 '17 at 13:19
  • Yeah, restoring such an old backup will get you more trouble because the secure channel passwords expired too, so no client will talk to this DC and you will have to rejoin all clients to the AD. All in all this is not a good idea. – duenni May 22 '17 at 13:27
  • I don't think anyone is saying it is a good idea. If the only backup available is older than TSL, it can be restored. – Greg Askew May 22 '17 at 13:34
  • Ok, I'll remove the last sentence from my answer because it can be misleading. – duenni May 22 '17 at 13:38
0

Not only deleted objects.

Let us assume for a while that some servers have been configured IIS, Certificate server (PKI), policies have been applied on OU, delegation has been given to some users, Authentication has been done on some AD users like VPN access, etc.

All these changes will be replaced with old Active Directory. This action is not acceptable at all.

Sairam
  • 1
  • 4
    Not necessarily. Non-authoritative restore will replicate the existing data from another DC but it will lead to inconsistent data if the tombstone lifetime has expired (besides the fact that it won't let you restore a backup which is older than the tombstone lifetime in the first place). – duenni May 22 '17 at 12:05