Web lists-archives.com

Re: [Samba] AD Backup Best Practice




On Sun, 10 Feb 2019 at 20:23, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
wrote:

> On Sun, 10 Feb 2019 20:11:02 +0100
> Viktor Trojanovic <viktor@xxxxxxxx> wrote:
>
> > On Sun, 10 Feb 2019 at 19:52, Rowland Penny via samba
> > <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > On Sun, 10 Feb 2019 19:33:17 +0100
> > > Viktor Trojanovic <viktor@xxxxxxxx> wrote:
> > >
> > > > On Sun, 10 Feb 2019 at 17:42, Rowland Penny via samba
> > > > <samba@xxxxxxxxxxxxxxx> wrote:
> > > >
> > > > >
> > > > >
> > > > > The problem is that a Samba AD DC is constantly in flux, that
> > > > > is, it changes constantly, if your 'snapshot' can guarantee it
> > > > > is correct, then I see no problem, but you would only really
> > > > > know when you tried to restore it.
> > > > >
> > > > > >With regards to information between 2 backups being lost, how
> > > > > > is that different with other backup strategies, for example
> > > > > > using samba-tool online backup?
> > > > >
> > > > > That is the problem with any AD DC backup method, the backups
> > > > > can quickly become out of date.
> > > > >
> > > > >
> > > > > You keep saying that but I can't quite wrap my head around it.
> > > > > How exactly
> > > > is the DC constantly in flux? Say I set up my small AD, one DC, 10
> > > > users, 10 computers, internal DNS and some GPOs and I'm not
> > > > touching any of that anymore after the initial setup. Yes, users
> > > > create their files, set permissions etc but that's all done on
> > > > the filesystem of the member server and not in the AD itself,
> > > > right? So what will have changed a week later on the DC?
> > > >
> > > > Viktor
> > >
> > > If all you have is 10 users, then your changes are going to be
> > > small, but there will be changes, machine passwords could change
> > > for instance. If a computers password changes 5 minutes after you
> > > back up the domain and then a week later you restore from your
> > > backup, the machine will not be able to connect to the domain, the
> > > domain will expect the old password and the machine will be sending
> > > the new one.
> > >
> > >
> > Ok, that's a valid point but the computer pw is usually initiated
> > every 30 days. Which brings me back to my question, if I set
> > everything up on day x, meaning that user passwords don't expire for
> > another 45 days and computer passwords remain valid for another 30
> > days, make a backup on that same day, and restore the AD a week later
> > without any intermediate backups, what will I have lost?  Sorry to
> > belabor the point, I'll keep doing daily backups in any case, I'm
> > just trying to figure out what I'm missing. :)
> >
> > Viktor
>
> In a small domain like yours, probably not much, the only real thing I
> could think of would be user password changes, but in large domains you
> couldn't really do what you are proposing.
>

Thanks Rowland, so far so clear, Tim will hopefully answer the other open
questions. Out of curiosity, how do you deal with this kind of errors
you're describing? In a large domain, I guess there is a really high chance
you will end up with expired computer and user passwords in the AD backup
so how do you handle this?

Viktor
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba