Performing a System State Backup on SBS 2011 (Standard & Essentials)
September 13, 2011 8 Comments
Hands up if you use Image Based Backup?
Good, all of you.
Or is that bad?
There was a lively discussion recently on the topic of Image Based backups in an Active Directory environment.
It seems a lot of people have potentially overlooked the issue of having to restore a Domain Controller, or part of Active Directory.
If you are using solely image based backups and you loose a domain controller, what can you do?
Sure you can restore that server, using an image.
Thinking back to the days before image based backup, using NTBackup or similar provided us with a System State backup, which for those who don’t know, was basically a backup of the registry and any other critical system files and in the case of a domain controller, it also provided us with a backup of Active Directory. (Susan Bradley’s Blog Post on a System State Backup in the 2003 era)
This backup was special, separated from a normal all files backup.
With that backup you could perform either a non authoritative restore, or an authoritative restore, depending on your needs. I wont go into to much here but basically a non authoritative restore would allow the local server’s AD to be overwritten by any other DC, an authoritative restore told the local DC to overwrite all the other DC’s, But the key was, you need a System State backup in order to kick off either type of restore.
You can find more info here:
So, armed with that, you might have a shiver running down your spine, where you have been sitting comfortably knowing your well thought out and carefully monitored image based backup is fool proof – I’m afraid not.
(Having said all of that, there is actually a way around not having a system state backup, but telling you how would encourage bad practice so i’m not going to, and it only works for one of the scenarios )
If you are using the built-in SBS backup, then a system state is included as part of that backup.
Now it has to be said that there will only be a handful of occasions where this would be useful, but wow, if you are in one of those situations you will be glad you have one.
What is it going to protect you against? A corrupted Active Directory (yes it does happen) An accidentally deleted user or other object. Locking yourself out of the domain admin account?
(for SBS Essentials we can easily enable something called the Active Directory Recycle Bin more on that later)
Without the system state backup included in our daily backup – what do we do?
Well lucky for us on SBS the Windows Server Backup feature is already enabled. So it is very easy to setup and perform a System State backup. Open up a command prompt as an administrator..
To run a system state backup we can use the wbadmin command tool. You choose to run your system state backup to a volume, not a folder, however you cannot use a location that is included in the backup as the destination, so for example the below command will fail.
wbadmin start systemstatebackup –backuptarget:c:
Lets look at the parameters available for the backupsystemstate command.
So, we know that a network location is out, that leaves either a separate Data volume, or an external drive.
I suppose could use the same disks here that we use for our daily backups however I think a better solution is to backup to our Data partition and then that will be included within our normal daily backup (image based or otherwise) Of course, once we have backed up the System State, there is nothing to say we can’t copy it to a network share or anywhere else.
So, let’s try this command instead.
wbadmin start systemstatebackup –backuptarget:d:
You will need to confirm that yes you really do want to start a backup.
The backup will then start, and create shadow copies for the volumes the system detects as part of the ‘system state’
It will show you how many files are being detected, and continue on with the backup.
Now it might take quite some time for the backup to run as being an SBS server there is a lot of data to be backed up.
Once the backup is completed, we can see we now have a new folder on our D drive.
If we try to access this we are blocked, so in order to show you what is inside ill click Continue here.
We see a folder named after the server, again we need to gain access.
Now inside here we have several folders, the backup itself is contained within the Backup folder, and it is named with a date and time that the backup was launched. Inside this folder will be some XML files and a VHD per volume backed up.
Below shows the size of the backup folder of a fairly standard SBS Essentials System State.
Moving on to schedule the backup we can just build a simple scheduled task to run the wbadmin command, but you will want to add on the –quiet switch so it runs silently. I will leave it up to you to decide if you want to copy that off to a different location.
Here is a sample script you can run to do perform a System State backup, then copy to a network share.
wbadmin start systemstatebackup –BackupTarget:d: -quiet
robocopy d:\WindowsImageBackup \\networkcomputer\SBSSystemState /E /COPY:DATSO /Z
I added the ping in there to give it a few seconds after the backup had completed before it starts to copy, and not being a script wizard, that’s the best i can do. You can just dump that into notepad and save it as a BAT file and use your task scheduler to run that file.
I know what you are thinking, how do i restore this?
First off, you need to boot the server into a special mode called Directory Services Restore Mode. You do this by pressing F8 at startup (just after post has completed but before the windows logo appears) Then you need to logon.
You cant logon using your domain admin password, as the domain is not running. So instead you need to use a special account.
(yes that is .\ this tells the logon process to logon locally as opposed to onto the domain)
Password: domain admin password
(your domain admin password)
Once logged in, you can browse the system as though you were booted up in normal mode. This is good if you need to copy the backup back from a network share or similar (you don’t need to as the restore supports a backup stored on a network share)
So from our elevated command prompt we can run..
wbadmin get versions
This will list all the available versions of the backups you have to restore.
Pay attention to the version identifier as we will need this to initiate a restore.
To start the restore enter.
wbadmin start systemstaterecovery –version:08/24/2011-09:56
You will need to say Yes i want to start the recovery, and then also say yes to confirm you understand about potential impact on replication (only applicable in multi DC environments)
The backup will then whizz off and restore.
Once the restore is complete, you need to reboot.. then when you log in you should see…
For more examples and a list of syntax, check this out.
AD Recycle Bin (AD RB)
Being up front and honest, never used it.
it is a new feature with Windows Server 2008 R2, and, well it looks pretty cool. This will help protect against items that were accidentally deleted, and should help stop you having to do a full restore of AD.
Check out this blog post for an introduction:
And for more info:
Now, you read all that right?
So you know then, that to enable AD RB your Forest Functional Level must be at Server 2008 R2 which is good news for SBS 2011 Essentials customers, as it is by default.
Potentially bad news for SBS 2011 Standard customers, as it isn’t.
Even worse for those of you on SBS 2008, as that is plain old Server 2008, not R2.
Check out this TechNet page for more info http://technet.microsoft.com/en-us/library/cc730985.aspx
Very quickly, if you have, or plan to have any DC’s that will not be running Windows Server 2008 R2, then the AD RB is not going to be an option for you in an SBS network.
Assuming all is well, and you have followed the guidance and planning advice in the links above, and also done all your own research and promise not to blame me if anything goes wrong..
Enabling the AD RB is straight forward. You need to use the AD PowerShell Module, from Administrative tools, and also run this As Administrator.
This article does such a great job of explaining it, you should just read that instead!