Backup the system state on your domain controllers. “Like duh!” you say, well that’s what I said too. I spent Friday a client’s site where a domain controller had gone down and they were experiencing issues with logons and Exchange. The client has/has four domain controllers, one at each of their four sites and all were marked as Global Catalog(ue)s. However once this single DC went down, due to hardware failure, AD essentially went bye-bye. Backups were no good and all the usual diagnostic tools would only show the downed DC as the lone GC. We could not seize the Schema Master and after spending about 6 hours on the phone with PSS, the decision was made to start again with a new domain, DC and Exchange server. Lots of fun that could have been avoided with products like Microsoft Operations Manager or NetIQ AppManager. I still don’t understand why these types of products are generally a hard sell.
Another recommendation: run your domain controllers as dedicated machines, whether they be physical or virtual machines. Unless you’re a small shop, only place services such as the GC, DHCP, DNS, WINS and IAS on the DCs. These services require little CPU power and RAM and dedicated DCs are much easier to recover or replace.
One Comment
Accidents have a habit to happen when you don’t expect them. I used to use NTBackup and utilise a standard procedure with backing up *.dits, *.logs, etc. Yes, it works but still requires a lot of extra work as a little deviation from the standard case renders the basic procedure unusable and hardly reliable. Then I had been hired by a company that served to a large manufacturer. Guys there used an Active Directory backup tool from Scriptlogic. I quickly realized that sometimes a little tool can do the huge work that you used to do yourself and like you, Aaron, I dug that those trouble that I have had in the past could have been avoided by using this tool. What I like in Active Administrator that it can backup ADAM instances. That’s great because I have seen similar disasters in small organizations and environments too. I should say that having no Active Directory forest doesn’t necessary mean that you are in the safe place and there isn’t anything so dire that it can ruin all your operations in a second. Unfortunately it isn’t so and even with a small organization you might expect sudden troubles. That’s why now I always use Active Administrator when I work with small organizations.