Performing a System State Backup on SBS 2011 (Standard & Essentials)
September 13, 2011 8 Comments
Hands up if you use Image Based Backup?
Good, all of you.
Or is that bad?
There was a lively discussion recently on the topic of Image Based backups in an Active Directory environment.
It seems a lot of people have potentially overlooked the issue of having to restore a Domain Controller, or part of Active Directory.
If you are using solely image based backups and you loose a domain controller, what can you do?
Sure you can restore that server, using an image.
Thinking back to the days before image based backup, using NTBackup or similar provided us with a System State backup, which for those who don’t know, was basically a backup of the registry and any other critical system files and in the case of a domain controller, it also provided us with a backup of Active Directory. (Susan Bradley’s Blog Post on a System State Backup in the 2003 era)
This backup was special, separated from a normal all files backup.
With that backup you could perform either a non authoritative restore, or an authoritative restore, depending on your needs. I wont go into to much here but basically a non authoritative restore would allow the local server’s AD to be overwritten by any other DC, an authoritative restore told the local DC to overwrite all the other DC’s, But the key was, you need a System State backup in order to kick off either type of restore.
You can find more info here:
http://technet.microsoft.com/en-us/library/cc779573%28WS.10%29.aspx
http://support.microsoft.com/kb/241594
So, armed with that, you might have a shiver running down your spine, where you have been sitting comfortably knowing your well thought out and carefully monitored image based backup is fool proof – I’m afraid not.
(Having said all of that, there is actually a way around not having a system state backup, but telling you how would encourage bad practice so i’m not going to, and it only works for one of the scenarios 
)
If you are using the built-in SBS backup, then a system state is included as part of that backup.
Now it has to be said that there will only be a handful of occasions where this would be useful, but wow, if you are in one of those situations you will be glad you have one.
What is it going to protect you against? A corrupted Active Directory (yes it does happen) An accidentally deleted user or other object. Locking yourself out of the domain admin account?
(for SBS Essentials we can easily enable something called the Active Directory Recycle Bin more on that later)
Without the system state backup included in our daily backup – what do we do?
Well lucky for us on SBS the Windows Server Backup feature is already enabled. So it is very easy to setup and perform a System State backup. Open up a command prompt as an administrator..
To run a system state backup we can use the wbadmin command tool. You choose to run your system state backup to a volume, not a folder, however you cannot use a location that is included in the backup as the destination, so for example the below command will fail.
wbadmin start systemstatebackup –backuptarget:c:
Lets look at the parameters available for the backupsystemstate command.
From TechNet:
So, we know that a network location is out, that leaves either a separate Data volume, or an external drive.
I suppose could use the same disks here that we use for our daily backups however I think a better solution is to backup to our Data partition and then that will be included within our normal daily backup (image based or otherwise) Of course, once we have backed up the System State, there is nothing to say we can’t copy it to a network share or anywhere else.
So, let’s try this command instead.
wbadmin start systemstatebackup –backuptarget:d:
You will need to confirm that yes you really do want to start a backup.
The backup will then start, and create shadow copies for the volumes the system detects as part of the ‘system state’
It will show you how many files are being detected, and continue on with the backup.
Now it might take quite some time for the backup to run as being an SBS server there is a lot of data to be backed up.
Once the backup is completed, we can see we now have a new folder on our D drive.
If we try to access this we are blocked, so in order to show you what is inside ill click Continue here.
We see a folder named after the server, again we need to gain access.
Now inside here we have several folders, the backup itself is contained within the Backup folder, and it is named with a date and time that the backup was launched. Inside this folder will be some XML files and a VHD per volume backed up.
Below shows the size of the backup folder of a fairly standard SBS Essentials System State.
Moving on to schedule the backup we can just build a simple scheduled task to run the wbadmin command, but you will want to add on the –quiet switch so it runs silently. I will leave it up to you to decide if you want to copy that off to a different location.
Here is a sample script you can run to do perform a System State backup, then copy to a network share.
wbadmin start systemstatebackup –BackupTarget:d: -quiet
ping 127.0.0.1
robocopy d:\WindowsImageBackup \\networkcomputer\SBSSystemState /E /COPY:DATSO /Z
I added the ping in there to give it a few seconds after the backup had completed before it starts to copy, and not being a script wizard, that’s the best i can do. You can just dump that into notepad and save it as a BAT file and use your task scheduler to run that file.
I know what you are thinking, how do i restore this?
First off, you need to boot the server into a special mode called Directory Services Restore Mode. You do this by pressing F8 at startup (just after post has completed but before the windows logo appears) Then you need to logon.
You cant logon using your domain admin password, as the domain is not running. So instead you need to use a special account.
Enter this:
Username: .\administrator
(yes that is .\ this tells the logon process to logon locally as opposed to onto the domain)
Password: domain admin password
(your domain admin password)
Once logged in, you can browse the system as though you were booted up in normal mode. This is good if you need to copy the backup back from a network share or similar (you don’t need to as the restore supports a backup stored on a network share)
So from our elevated command prompt we can run..
wbadmin get versions
This will list all the available versions of the backups you have to restore.
Pay attention to the version identifier as we will need this to initiate a restore.
To start the restore enter.
wbadmin start systemstaterecovery –version:08/24/2011-09:56
You will need to say Yes i want to start the recovery, and then also say yes to confirm you understand about potential impact on replication (only applicable in multi DC environments)
The backup will then whizz off and restore.
Once the restore is complete, you need to reboot.. then when you log in you should see…
For more examples and a list of syntax, check this out.
AD Recycle Bin (AD RB)
Being up front and honest, never used it.
it is a new feature with Windows Server 2008 R2, and, well it looks pretty cool. This will help protect against items that were accidentally deleted, and should help stop you having to do a full restore of AD.
Check out this blog post for an introduction:
And for more info:
http://technet.microsoft.com/en-us/library/dd391916%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd392261%28WS.10%29.aspx
Now, you read all that right?
So you know then, that to enable AD RB your Forest Functional Level must be at Server 2008 R2 which is good news for SBS 2011 Essentials customers, as it is by default.
Potentially bad news for SBS 2011 Standard customers, as it isn’t.
Even worse for those of you on SBS 2008, as that is plain old Server 2008, not R2.
Check out this TechNet page for more info http://technet.microsoft.com/en-us/library/cc730985.aspx
Very quickly, if you have, or plan to have any DC’s that will not be running Windows Server 2008 R2, then the AD RB is not going to be an option for you in an SBS network.
Assuming all is well, and you have followed the guidance and planning advice in the links above, and also done all your own research and promise not to blame me if anything goes wrong..
Enabling the AD RB is straight forward. You need to use the AD PowerShell Module, from Administrative tools, and also run this As Administrator.
This article does such a great job of explaining it, you should just read that instead!
About Robert Pearman
Title (Required) 
Interesting Post. Have to try it out instead of taking image snapshots with Acronis.
You would probably want to take these system state backups in addition to your Acronis backups.
The system state will generally not include your data.
Is an extra system state backup truly necessary if your SBS server is the only DC in the network?
I can’t attest for Acronis, but I have used Shadow Protect for years and years. Shadow Protect uses VSS to tell the System State (among other VSS writers) … “hey..im going to take a snapshot…”
I’ve restored SBS 2003-2011 from SP images a number of times (only DC mind you) without any issues….
just a thought…my pet peeve with Server 2008 in general is that the system state backups are typically 7-10GB alone…
I guess that depends on your DR plan. If you delete a user and you want to restore an image of the entire server, then maybe not. If the AD becomes corrupt, and you want to restore an image…
@Paul C.
I speak from personal experience here as a loyal ShadowProtect user…
Microsoft technical support does not support image-based backups as a recovery method. In other words, if your SBS box takes a nosedive and you have to call MIcrosoft CSS, if you don’t have a System State Backup their commitment is ‘best effort’.
In other words, if you have ONLY done ShadowProtect backups (and no System State Backups), you’re working outside the acceptable parameters.
Real life example:
Wednesday night ShadowProtect backup is successful.
Thursday night after work hours (but before the ShadowProtect backup) the SBS box stops allowing logins.
Friday morning no users can login.
Friday morning a call is placed to Microsoft CSS. The first thing they want is to try and repair Active Directory from a System State Backup.
You say, ‘np, I have ShadowProtect backups).
CSS says, ‘we don’t support image-based backups (ShadowProtect, Acronis, etc.) – only System State Backups.’
Because you have no SSB, you are now ‘off script’. The L1 techs at Microsoft now don’t have a documented / supported path to fix your server.
If you roll the server back to Wednesday night’s backup, you loose all of the new email and files from Thursday (since ShadowProtect was not able to run).
Long story short: “wbadmin start systemstatebackup -backuptarget:E:” is your friend. Do it in addition to your normal ShadowProtect backups.
This all seems jolly complicated, why not use NT Backup [current variant] to make your SSB then collect it via the next image?
That is what we are doing, just using the command line rather than the gui.
I am at a place now where I can not get a good backup via the GUI. In fact I have offloaded the exchange database and data files manually and with 3rd party tools however I am sitting on a 2 disk failure in a RAID 1+0 setup. The GUI gets to about 4% – 9% on SBS Backup and Easeus TODO-Backup Advanced server (Trial) then suddenly reboots. After about 30 min of the raid controller telling me it is not going to load the array it finally does with a degraded array. I repeated this process 6 or 7 times however tonight I started this method via command line and I am at 34% at the moment. I hope this works and will report my findings.
Note I also exported the mail boxes to PST in case I totally have to start over as it is a small network I can rejoin the computers easily enough.
Darn it 35% it failed with a BSOD. Well I guess with only a few users its not so bad.