About the role of Active Directory

Article:HOWTO13582  |  Created: 2008-01-05  |  Updated: 2013-10-17  |  Article URL http://www.symantec.com/docs/HOWTO13582
Article Type
How To


About the role of Active Directory

When you protect a domain controller with Backup Exec System Recovery, be aware of the following:

  • If your domain controller is Windows Server 2003, it supports VSS. Backup Exec System Recovery automatically calls VSS to prepare the Active Directory database for backup. Windows 2000 Domain Controllers do not support VSS. In cases where the domain controller is running on a Windows 2000 server, the Active Directory database must be backed up using NTbackup before using Backup Exec System Recovery to protect the full system. This process can be automated with an external command that Backup Exec System Recovery calls. When you create a backup job, you have the option to enter external commands. This provides a simple process for protecting domain controllers that do not support VSS.

  • In order to participate on a domain, every domain computer must negotiate a trust token with a domain controller. This token is refreshed every 30 days by default. This time frame can be changed, and is referred to as a secure channel trust. But a trust token contained in a recovery point cannot be automatically updated by the domain controller. Therefore, when a computer is recovered with a recovery point that contains an outdated token, the recovered computer cannot participate in the domain until it has been added to the domain by someone with the proper credentials.

    In Backup Exec System Recovery, this trust token can be re-established automatically if the computer currently participates in the domain at the time the recovery process is started.

  • In most cases, domain controllers should be restored non-authoritatively. This prevents outdated objects in the Active Directory from being restored. Outdated objects are referred to as tombstones. Active Directory does not restore data older than the limits it sets. Restoring a valid recovery point of a domain controller is the equivalent of a non-authoritative restore. Refer to the Microsoft documentation to determine which type of restore that you want to perform. A non-authoritative restore prevents tombstone conflicts.

For additional details about protecting non-VSS aware domain controllers, see the white paper Protecting Active Directory at the following Symantec Web site:


Legacy ID


Article URL http://www.symantec.com/docs/HOWTO13582

Terms of use for this information are found in Legal Notices