vii

Books

Contents
Chapter 6 Backup, Restore, and Recovery for Windows Server 2003
and Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Using the RC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Deploying EMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Understanding Out-of-Band Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuring the SAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Understanding !SAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Additional EMS Thoughts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Performing an AD Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
AD Backup Essentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Performing a System State Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Creating an AD Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
AD Nonauthritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
AD Authoritative Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
The New Windows 2003 Backup API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Enabling ASR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Replicating DCs from Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Next: New Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
 101

Chapter 6:

Backup, Restore, and Recovery

for Windows Server 2003 and
Active Directory
Performing backups is a system administrator’s single most important task. However, because having
backups sometimes isn’t enough, you need skills that go beyond the ability to back up and restore
files. In this chapter, I describe some common scenarios in which things go wrong – from a server
going belly up to objects in Active Directory (AD) being inadvertently deleted.
Windows Server 2003 (Windows 2003) gives you many ways to get your system back to business
as usual. I’ll show you how to use the techniques and features it offers – before you have to swing
into action to save the day (and your job). I discuss using the Recovery Console (RC), deploying the
new Emergency Management Services (EMS) feature, performing an AD backup and restore, enabling
Automated System Recovery (ASR), and replicating DCs from media with the new Install from Media
(IFM) feature.

Using the RC
When Microsoft released Windows 2000, one of my new favorite features was the Recovery Console
(RC). The RC could help you address a persistent problem that many of you will remember.
Before the advent of the RC, if a server went belly-up and you needed to perform surgery on it,
doing so was difficult if the underlying file system was NTFS. Booting from a floppy disk wouldn’t let
you see or modify NTFS volumes. Given the frustration of working with NTFS in this urgent situation,
thousands of Windows NT 4.0 server administrators kept their OS loaded on FAT partitions – just for
the rare emergency. This approach let the administrators boot to a DOS prompt to edit, rename, or
modify damaged files.
Windows 2003 and Win2K have the RC, a tool whose job is to help when the chips are down.
The RC console lets you load a very small subset of the OS along with a powerful subset of OS func-
tions. Previously, for example, if a service went down while NT 4.0 was running and you needed to
reboot the server, you might be in trouble if the Last Known Good Configuration recovery option
failed to bring your system back. With the RC, you can start and stop services, format disks, and copy
and replace files already on the disk. Basically, the RC contains much of what you’ll need should
things on a particular Windows 2003 or Win2K server go awry.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

102 Windows 2003: Active Directory Administration Essentials

You can use the RC two ways: preloaded or loaded on the fly. Preloading the RC requires
only about 7MB of disk and adds an additional boot option to the boot.ini file. To preload the RC,
insert the Windows 2003 CD-ROM and open a command prompt. From the CD-ROM, run winnt32
/cmdcons. The RC will contact Microsoft for any last-minute updates, then perform the installation,
as Figure 6.1 shows.
Figure 6.1
Installing the RC

After the files are copied, you can see the fruits of your labor. Simply reboot the server and look
for the new RC line added to the boot.ini file, which Figure 6.2 shows.
Figure 6.2
RC line item in the boot.ini file

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 103

After you enable the RC, you’re asked to log on. If this server is a member server or standalone
workstation, you log on with the local Administrator password. If this server is a domain controller
(DC), you log on with the Directory Services Restore Mode password that you input when you
created this DC. (I discuss the Directory Services Restore Mode password in the upcoming AD
Nonauthoritative Restore section.) If you try to log on with the domain Administrator account
password, you won’t be permitted to use the RC, as Figure 6.3 shows.
Figure 6.3
Attempted logon to a DC with RC installed using the domain Administrator password

After you log on to the RC successfully, you have an array of tools at your disposal, as Figure 6.4
shows. I encourage you to familiarize yourself with the tools in the RC, so you’ll be ready to use
them when you encounter a problem.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

104 Windows 2003: Active Directory Administration Essentials

Figure 6.4
The RC tools

Among the RC’s abundant tools, some of my favorites are

• Listsvc – Helps determine which services are running and the current state of each service
• Enable and Disable – Changes how services start up (e.g., you can disable services that aren’t
working as they should)
• Bootcfg – Aids you in rebuilding broken boot.ini files by helping you locate instances of
Windows 2003 on the computer
• Expand – Lets you take a compressed file – for example, myfile.sy_ – and expand it to
myfile.sys, which you can then place almost anywhere on the hard drive

j Tip
It’s still fairly difficult to do registry repairs inside the RC. If you need tools to repair the
registry while the server is damaged, I encourage you to check out Winternals Software’s tool
ERD Commander at

http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 105

Deploying EMS
When a server is unresponsive, Windows 2003’s EMS can display what’s happening over the
computer’s serial port. You can then use a second device to manage the broken server. Before I
discuss EMS further, however, I’ll review the usual options for monitoring server operations and
troubleshooting an unresponsive server.
When a server is running and you want to observe what’s going on, you have several options.
If the machine is running well, you can peek in through the built-in administrative Terminal Services
that I described in Chapter 1 (Windows 2003 by default loads the necessary files for the equivalent
of Windows 2000 Terminal Services), use Telnet to contact the machine, or tap a host of other tools.
These approaches to monitoring your server are often called “in-band” management – that is, you use
the Ethernet cable to cross the network, look into server operations, and possibly work on the server.
Many datacenters I see have clunky cabinets with racks of monitors, keyboards, and mice. Other
datacenters rack-mount their servers and use a keyboard/video/mouse (KVM) switchbox to switch
between the servers in the rack. Still others have KVM switchboxes that run over TCP/IP, the idea
being that – from anywhere in the enterprise – you can monitor what’s happening on the server
console. Some of these setups are complex and expensive, but the real question is whether they
can help if the server reaches the blue screen stage or completely hangs when you’re at another site
or in another country.

Understanding Out-of-Band Management

When you reach an unresponsive server by an alternate route – through the serial port – the
approach is often referred to as “out-of-band” (OOB) management. Because Microsoft wants you
to be able to run a lean datacenter, the company designed Windows 2003 to work in an OOB
“headless” environment.
Headless means that you can set up, build, run, monitor, restart, and repair a Windows 2003
server without a keyboard, a mouse, or even a video card. And you might be able to do so from
anywhere in your enterprise – in fact, from anywhere in the world. (You usually can’t perform all
those actions with a KVM switch or even with a TCP/IP KVM switch.)

n Note To get the kind of support that Windows 2003’s headless environment provides, you would
usually need to install a third-party card, such as Compaq’s Remote Insight Lights-Out
Edition card.

If your server becomes unresponsive over the network and you can’t use Terminal Services or
Telnet to manage it, you now have Windows 2003’s EMS. The principle underlying EMS is simple:
You install a special piece of software on Windows 2003 that displays what’s happening over the
computer’s serial port. Then, through a second device, you can manage a broken Windows 2003
server.
Any of several pieces of hardware can serve as the second device, as Figure 6.5 shows.
• You might attach a handy Windows Tablet PC running Hilgraeve’s HyperTerminal – or another
portable serial device.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

106 Windows 2003: Active Directory Administration Essentials

• You might attach a password-protected security modem to the server’s serial port and dial in to
see what’s up.
• You might attach all the servers to a device called a serial port concentrator. Then, you can use
character-based Telnet to get direct access to a specific server.
Figure 6.5
Connecting to a broken server’s serial port

Out of Band /
Alternate Network
Windows 2003 Server

via S
erial
Port

Serial Port Concentrator

via
Ser
ial l-in
Po
rt Dia

via Security Modem

Se
ria
l Phone
Po
rt Company

Typically,
Production Network Ethernet you would
use one
device to
connect to
the server’s
serial port
Laptop Computer

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 107

j Tip
Cyclades (http://www.cyclades.com) is one manufacturer of serial port concentrators.
You can find the company’s statement of support for EMS at
http://www.cyclades.com/pressroom/?id=1051617600

No matter which serial connection you choose, the concept is the same: The device isn’t con-
nected to the same network as the broken server. That way, you can reach the server through the
serial port.

Configuring the SAC

The Special Administration Console (SAC) is a key component of OOB management. The SAC is the
EMS command-line environment that Windows 2003 provides. This console is separate from the usual
command-line environment and provides different functions. After you’ve enabled EMS, the SAC is
always running unless EMS components don’t load properly.
For an introduction to the SAC, go to the following Microsoft URLs:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003
/proddocs/entserver/ems_components.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003
/proddocs/entserver/ems_sac_commands.asp

However you choose to manage your damaged server, with EMS, you ultimately use the serial
port. To see for yourself what EMS looks like, you must configure your server to output to the serial
port. You do so through the bootcfg command, which changes parameters in the boot.ini file. You’ll
simply run bootcfg /EMS with additional parameters.

d Caution
Your commands might differ depending on which serial and boot options work for your
hardware.

You’ll automatically add an entry to your boot.ini file that, after a reboot, enables EMS. If you
have a device connected to the serial port through a null-modem connection, you’ll see the output of
EMS as soon as the system reboots. Figure 6.6 shows the results of a successful run of the bootcfg
command as well as the output from the newly changed boot.ini file.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

108 Windows 2003: Active Directory Administration Essentials

Figure 6.6
Enabling EMS

j Tip
Enabling EMS for the next boot is easy; just be sure to use the same speed for the computer and
the receiving device.

When you reboot the server, you might notice almost imperceptible differences on the boot-up
screen – but little else that’s different. In fact, if the server doesn’t encounter problems, it continues to
boot as usual. However, if you have a device connected to the serial port of the server, you’ll see the
SAC, which Figure 6.7 shows. In this example, I have a laptop running HyperTerminal connected
through a null-modem connection.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 109

Figure 6.7
SAC initialization

After the SAC is loaded, you can choose to

• restart the unresponsive server
• shut down the server
• open one or more command prompts
• set a different IP address for the server, which is useful should the server need to be moved to a
different segment
• manually crash the system, which is useful if you want to generate Crashdump data for Microsoft
Product Support Services (PSS – Microsoft might request Crashdump information to troubleshoot
particularly sticky problems)

Figure 6.8 displays SAC commands. Reading through the list gives you a sense of the actions you
can take.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

110 Windows 2003: Active Directory Administration Essentials

Figure 6.8
SAC commands

d Caution
Usually, you’ll want to avoid Crashdump because it will, as its name implies, crash the system
and create a dump.

What’s amazing about the SAC is that if your server encounters a blue screen (or if you force
one through the SAC’s Crashdump command), you’ll see the blue screen output on your serial-port
connected terminal session, as Figure 6.9 shows.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 111

Figure 6.9
Windows 2003 server crash SAC output

Understanding !SAC
Telnet and Terminal Services work well when the system is running – in which case, you can
use in-band management. The SAC makes the difference when things aren’t going well (e.g.,
misconfigured IP addresses, service problems, blue screens) over the usual network channel.
However, if a machine is completely unresponsive (i.e., the machine might or might not have
displayed the blue screen but is 100 percent hung), you still have !SAC.
!SAC (usually pronounced Bang SAC) is a special Windows 2003 mode. !SAC provides a limited
subset of what you can do through OOB. Basically, you can restart the computer and redirect
onscreen blue screen messages. You can’t choose !SAC mode to perform these functions, however;
the underlying system chooses it for you.
For more information about !SAC, go to the following Microsoft URL:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003
/proddocs/entserver/ems_!sac_commands.asp

Brought to you by NetIQ and Windows & .NET Magazine eBooks

112 Windows 2003: Active Directory Administration Essentials

Additional EMS Thoughts

EMS, SAC, and !SAC offer OOB management with terrific benefits. However, you might be able to get
additional benefits depending on which kind of BIOS and hardware you use for your Windows 2003
server. For example, if you need to change the boot order or another BIOS setting, your BIOS might
or might not be capable of redirecting its output to the serial port. You’ll need to check with your
server vendor to ask whether your server BIOS supports redirection to the serial port.
You can do much more with EMS, headless servers, and the SAC, including building machines
from scratch – all through the serial port. For more information about EMS and headless servers,
go to the following Microsoft URL: http://www.microsoft.com/whdc/hwdev/platform/server/headless
/default.mspx

Performing an AD Backup and Restore

If you open up your Windows 2003 and Win2K Active Directory Users and Computers console,
you’re likely to see a sea of organizational units (OUs) full of users. A portion of your directory might
resemble the DomainA.com directory that the diagram in Figure 6.10 represents.

Figure 6.10
DomainA.com AD directory

John

Sally
Sales
Dirk

Jeff
West Coast Sales

Edna

East Coast Sales James

DomainA.com

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 113

AD can be a pretty treacherous place, with many administrators performing lots of work at
all times. What happens if an administrator inadvertently deletes Jeff’s account? Or worse, an
administrator deletes East Coast Sales and everyone in it? Or worse yet, an administrator deletes Sales,
all the OUs below it, and everyone in them?
Although a little panic is understandable, if you stay calm, you can get your AD accounts back.
Doing so, however, takes some pre-planning and a little good fortune.

AD Backup Essentials
Backing up AD is relatively straightforward. Simply perform a system state backup of one DC. A
server’s system state is its nucleus. If you back up a DC’s system state, you have the contents of AD.

d Caution
If you must perform a restore of deleted objects, you need to know that the machine on which
you do the backups is the machine on which you do the restores. Also, to perform a restore, as
you’ll see in the following text, you need to reboot and take the DC offline. Therefore, if you
plan to back up one or two DCs in your environment, make sure that you can reboot those
DCs during the day without penalty.

Performing a System State Backup

With the preceding information, you can use the standard backup tool. Navigate to and select System
State, as Figure 6.11 shows.

Figure 6.11
Backing up the system state

Brought to you by NetIQ and Windows & .NET Magazine eBooks

114 Windows 2003: Active Directory Administration Essentials

You should back up to a location that you’ll be able to access when this machine is
rebooted – either a tape drive or a file. Remember that you can’t take a system state backup from
one DC and restore that system state to another DC.

Creating an AD Map
Next, you need to make a “map” of your AD. If someone deletes an object, you’ll need to know its
distinguished name (DN) to restore it. As you’ll recall, a DN is a list of items separated by commas
that uniquely identifies an object by using the relative DN for the object and the names of the
container objects and domains that contain the object. The DN is a text representation of an entry in
the directory server database. For example, the object selected in Figure 6.12 would have the DN
cn=James,ou=East Coast Sales,ou=Sales,dc=domaina,dc=com

Figure 6.12
Mapping each object shown by DN

Without a map of your AD that tells you explicitly where each object is listed by DN, you’ll have
a difficult time restoring objects, as the following text discusses.

j Tip
In Chapter 7: Command-Line, Support, and Microsoft Windows Server 2003 Resource Kit
Tools, I’ll show you how to use the Dsquery command to display a list of all the users’ DNs
at once.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 115

AD Nonauthoritative Restore
After you’ve performed your backup, if a problem occurs (e.g., someone deletes James’ account or
East Coast Sales), you can start to recover what was deleted by performing a nonauthoritative restore.
To begin a nonauthoritative restore, you need to reboot the DC on which you created the system
state backup. When you do so, press F8 to get to the special boot options that Figure 6.13 shows.

Figure 6.13
Starting an AD restore

Choose the Directory Services Restore Mode (Windows domain controllers only) option. This
choice enables a special mode that lets you start your restore process.
When the logon prompt appears, you log on with the Directory Services Restore Mode password.
You created and entered this password when you ran Dcpromo and made this server a DC.

j Tip
What if you can’t remember your Directory Services Restore Mode password? You’ll need to
reboot, log on as domain Administrator, and type
Ntdsutil

Then type the command

set dsrm password

which lets you reset your forgotten password.

After you log on, run the backup utility again. Perform a full system state restore to the original
location, as Figure 6.14 shows.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

116 Windows 2003: Active Directory Administration Essentials

Figure 6.14
Restoring AD on top of itself

After you perform the full system state restore, the records you’ve preserved in the system state
backup will be returned to AD and restored. However, your job isn’t complete until you do an
authoritative restore.

AD Authoritative Restore
After the nonauthoritative restore is complete, you’ll be asked to reboot the machine. Do not reboot!
Instead, close NT Backup and proceed.

d Caution
When you’re asked to reboot the machine following a nonauthoritative restore, do not reboot!
If you reboot, other DCs can override information about the objects you’re restoring.

If you reboot, the AD objects wouldn’t be restored. This situation occurs because when an AD
object is deleted, it’s recorded as deleted and “tombstoned.” That information goes to other DCs,
which also record that the object is slated for deletion and tombstoned. As a result, even though this
DC has restored the object to its own local copy of the AD database, other DCs will override the
restoration with their signal indicating that the object is tombstoned and slated for deletion.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 117

You need a way to communicate to the other DCs that – for the specific objects you want
restored – those DCs should accept a signal to override the communication that those objects are
slated for deletion. That signal is the authoritative restore.

n Note Because AD replication would require a chapter in itself, I’ll keep the information brief here.
However, underneath the hood, the authoritative restore raises the update sequence number
(USN) to a very high number – ensuring that other DCs with lower USNs can’t overwrite the
objects you’re restoring. For a comprehensive article about USNs with AD backup and restore,
see my article at http://www.mcpmag.com/features/article.asp?editorialsid=166
and the following Windows and .Net Magazine article at
http://www.winnetmag.com/articles/index.cfm?articleid=15558

Start your authoritative restore by typing

Ntdsutil

at a command line. Then, to reach the authoritative restore menu, type

authoritative restore

Assuming the inadvertently deleted portion of AD was the East Coast Sales OU and everything in it,
following “authoritative restore,” type
restore subtree "ou=East Coast Sales,ou=sales,dc=domaina,dc=com"

as Figure 6.15 shows.

Figure 6.15
Performing an authoritative restore

Brought to you by NetIQ and Windows & .NET Magazine eBooks

118 Windows 2003: Active Directory Administration Essentials

An authoritative restore ensures that other DCs won’t overwrite the objects you’re restoring after
this DC is rebooted. When you reboot this DC after the authoritative restore is complete, the deleted
objects get the signal to “ride above” the tombstoned objects. That way, the objects are restored to
this DC and replicated to all other DCs.

The New Windows 2003 Backup API

Windows 2003 provides a new API, Tombstone Reanimate, which should be useful in restoring
deleted objects in AD. As you just read, it takes a full system state backup of a DC, a reboot, a
nonauthoritative restore, and an authoritative restore – just to get back one user object. The idea of
the new API is straightforward: After an AD object is tombstoned – that is, marked for deletion –
you can have a program “un-tombstone” that object.
I worked with Bill Boswell (http://www.winconsultants.com) and Mark Russinovich
(http://www.sysinternals.com) to test this API. Unfortunately, although we were able to reanimate
tombstones (and get previously deleted objects back from the dead), they resembled the reanimated
animals in Stephen King’s Pet Sematary in that they “weren’t quite right.” Most of their features,
such as group membership and even phone number, weren’t replaced, making the API a lot less
useful than it could be. You can test the code yourself by visiting
http://www.sysinternals.com/files/adrestore.zip.

Enabling ASR
When a major server failure hits, you want to get the server back up and running quickly. Windows
2003’s (and Windows XP’s) Automated System Recovery (ASR) feature lets you recover a system that
won’t start. Before ASR, you had to load the entire OS from CD-ROM, then do a complete restore on
top of the fresh OS installation.
ASR lets you take a snapshot of the system volume and put it on tape or other locally attached
media. Additionally, some information about the backup is preserved to floppy disk. Figure 6.16
shows the Automated System Recovery Preparation Wizard, which lets you enable ASR from within
Windows 2003’s backup utility.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 119

Figure 6.16
The Automated System Recovery Preparation Wizard

n Note ASR lets you take a snapshot of the system volume for later restore.

j Tip
The Automated System Recovery Preparation Wizard backs up the partition the OS uses, but it
doesn’t back up other partitions, such as program and data partitions. Those partitions must be
backed up using standard routines.

When a problem hits, you can simply pop in the most recent set of ASR tapes along with the
floppy disk created for that backup and boot with the Windows 2003 CD-ROM, as Figure 6.17
indicates. While the CD-ROM is booting, press F2 for ASR Recovery, and you’re nearly done.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

120 Windows 2003: Active Directory Administration Essentials

Figure 6.17
Starting ASR after a disaster

The ASR process will read the floppy disk to determine your disk configuration at the time
you created the backup. After the OS is loaded, the process automatically restores the rest of the
system drive.
ASR can really save time – but the catch is that the backup data must reside in a place that
ASR can reach. ASR can reach only locally attached backup data, such as data stored on tape or disk.
(You can’t access the backup over the network, and you can’t have it waiting for you on specialty
devices such as FireWire – IEEE 1394 – or USB 2.0 drives.)
For more information about ASR, go to
http://www.windows2000faq.com/articles/index.cfm?articleid=37650
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003
/proddocs/entserver/asr_overview.asp

Replicating DCs from Media

Before I wrap up this chapter, I want to discuss one more backup-related issue: the new Windows
2003 option that lets you install from media. IFM solves a serious problem that certain AD
deployments have. Some AD deployments are so large and the pipes between DCs so small that
promoting a new DC becomes painfully slow – or even impossible.
Windows 2003’s IFM option lets you take one DC’s system state and put it on CD-ROM, USB
“thumb drive,” or any other removable media. You can then ship that removable media along with
the server to a destination (or if the server is already at the destination, send just the latest IFM media
set). When you’re ready to promote the target server to DC, run Dcpromo with a special switch (the
Dcpromo /adv switch), and the Active Directory Installation Wizard will prompt for that previously
saved system state, as Figure 6.18 shows.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

 Chapter 6 Backup, Restore, and Recovery for Windows Server 2003 and Active Directory 121

Figure 6.18
Deploying IFM to copy domain information

The newborn DC gets about 99 percent of the AD information from the removable media it has
locally. You can get the remaining 1 percent of information over the network. Now, deploying DCs
across even pathetically slow links is virtually a guaranteed success.

n Note You start with a system state you already have, put it on removable media, and ship it with (or
to) the DC-to-be. Then, run Dcpromo /adv. When you do, the Active Directory Installation
Wizard offers a special option for promoting a new DC. By using IFM, you can reduce network
traffic and get that DC loaded.

Next: New Tools and Resources

Being able to restore AD is more important than ever; fortunately, doing so is easier than ever. The
Windows 2003 backup and recovery functions I’ve discussed in this chapter take you a long way
toward recovery nirvana.
• RC – Microsoft introduced the RC in Win2K, but the feature has been updated in Windows 2003.
• EMS with SAC and !SAC – EMS, SAC, and !SAC are new in Windows 2003.

Brought to you by NetIQ and Windows & .NET Magazine eBooks

122 Windows 2003: Active Directory Administration Essentials

• AD backup and restore – Although this function is familiar, it’s good to refresh your knowledge.
Also, I hope that the Tombstone Reanimate API brings forth some goodies from third-party tool
makers.
• ASR – ASR is new in XP and Windows 2003. The tool is handy, but works only if the disk or
tape is locally attached.
• IFM – IFM is a highly useful tool, especially for large AD shops with small pipes and lots of DCs.

Windows 2003 becomes more interesting the closer you look. In Chapter 7, you’ll encounter
Windows 2003’s new built-in tools, support tools, and resource kit tools.

Brought to you by NetIQ and Windows & .NET Magazine eBooks