Re: [Samba] AD Backup Best Practice

On Sun, 10 Feb 2019 14:13:27 +0100
Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I'm currently reviewing my own backup strategy for Samba and I
> realize it is not in line with best practices provided in the Wiki. (
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC)
> Said best practices, however, seem a bit like a nightmare to me.
> Assuming the AD is gone and you want to restore just one DC, and you
> want things to look just as they did before the crash, the process
> according to the Wiki looks as follows:
> 1. Install a Samba DC on a new (!) temporary host and provision the
> domain, just like you would when doing a new install from scratch.
> That task alone is tremendous.
> 2. Stop Samba and restore the AD from backup to this domain not (!)
> into the default Samba folder, advise Samba accordingly when starting
> it. 3. On the original host, set up a Samba DC and join the domain.
> 4. If GPO or scripts exist on sysvol, manually set up sysvol
> replication to get them to the original DC.
> 5. Remove the temporary host.
> Just... wow. :)

Tend to agree with you, the wiki page asks this question 'So which
backup should I use?' It then goes on to enumerate 5 different reasons
why you would need a backup and seems to totally miss the point. Your
domain has gone down and it is headless chicken time ;-)
All you would want to do is to get your domain back up again as quickly
as possible.

I think you would only do '1' if you wanted to rename the domain.

Not sure where you got restoring into a different folder from, I
thought the restore put everything back to where it came from.

You shouldn't have to do '4', the backup contains a copy of sysvol and
smb.conf, so you should be able to restore to the DC it came from, it
would just have to be the only DC and all DC's would have to be
stopped, it would probably be better to rename the old DC before
carrying out the restore.  

> Isn't there a simpler way of doing this? Namely, if all the restore
> operations are done offline anyway, why is it frowned upon to simply
> do everything on the original DC, i.e. forgo the temporary host,
> overwrite the configuration files (/etc/samba) and the local Samba
> folder (e.g. /var/lib/samba) with what's in the backup and be done
> with it? What's the difference between doing this and just restoring
> the whole machine running the DC bit for bit (dd backup and restore)?

If you are talking about stopping the DC and copying it (somehow), then
this should work, but you would have to be aware that you would have to 
stop your DC regularly and that your backup would only be valid for the
time you took it, anything between that backup and the next would be


