Server Backup Administration & Checkpoints

[StarKiller70]

Hey guys, I'm trying to better understand how to properly back up a Domain Controller as well as a Hyper-V using checkpoints.

 

From my understanding of doing my own research. A Checkpoint is mainly for VM's in Hyper-V / VMWare / Virtual box, which will allow you to revert a virtual machine back to a previous point in time much like a checkpoint in a game.

 

For backing up a physical DC There are different ways to go about it which is you can have a physical device connected to it and perform a enterprise back up with a large file server, you can perform a NAS back up either locally or cloud third party.

 

What's usually the more effective way to go about this? Physical, Cloud, or both? 

 

Any professional insight would be appreciated. Than you!

[jake9000]

So in regards to domain controllers specifically, you really need to have two DCs. In a single-DC scenario, restoring to a checkpoint will roll back your changes. Onlining an older backup will cause new devices/accounts to disappear, old devices to reappear, renewed certificates to become invalid, password changes to roll back... a lot of bad stuff. 

 

Have two DCs on separate hardware. If you absolutely can't have more than one physical server, a cluster-in-a-box (two virtual DCs on a single host) is an ok stopgap. If you have to do a restore, just delete the bad domain controller and make a new one and let the remaining one replicate to it. The only time you ever want to restore a DC from backup is if you had a total infrastructure loss and there wouldn't be any changes between the backup's creation and the restore anyways. 

 

I use Veeam almost exclusively and have no physical DCs. It connects to the hypervisor and backs up from there. I like the backup stuff to be its own device that replicates to cloud, and it holds a one-way trust to the production environment so ransomware or attackers can't traverse into the backup systems. 

[Jarsky]

16 hours ago, StarKiller70 said:

From my understanding of doing my own research. A Checkpoint is mainly for VM's in Hyper-V / VMWare / Virtual box, which will allow you to revert a virtual machine back to a previous point in time much like a checkpoint in a game.

 

Just to clarify this statement, a checkpoint/snapshot is not a backup. 

Checkpoints/Snapshots are for capturing the state of the machine before making a change. It creates a delta of the virtual disks allowing you to revert/restore to that point in time. When your change is completed and confirmed all is OK then you should be deleting/merging it which merges the delta disk into the main disk image. 

 

For making a backup of virtual machines, you should use a backup program (some free ones are Veeam, Altaro, Nakivo, Vembu, etc....)

 

For Physical, Windows actually has a free built in utility for doing full disk backups. 

Veeam & Nakivo both have solutions for physical servers as well. I assume its just the 1 physical so you wouldn't want to go with some big enterprise solution. 

[StarKiller70]

5 hours ago, Jarsky said:

 

Just to clarify this statement, a checkpoint/snapshot is not a backup. 

Checkpoints/Snapshots are for capturing the state of the machine before making a change. It creates a delta of the virtual disks allowing you to revert/restore to that point in time. When your change is completed and confirmed all is OK then you should be deleting/merging it which merges the delta disk into the main disk image. 

 

For making a backup of virtual machines, you should use a backup program (some free ones are Veeam, Altaro, Nakivo, Vembu, etc....)

 

For Physical, Windows actually has a free built in utility for doing full disk backups. 

Veeam & Nakivo both have solutions for physical servers as well. I assume its just the 1 physical so you wouldn't want to go with some big enterprise solution. 

Thank you for this insight I really do appreciate it. I do have two Domain Controllers one master, and one slave. As far as enterprise solutions, it doesn't have to be fully enterprise just so long as its capable of restarting a crap tun of data for the main DC and the back up. I will definitely check out Veeam and Nakiyo soltuions you've provided.

[StarKiller70]

15 hours ago, jake9000 said:

So in regards to domain controllers specifically, you really need to have two DCs. In a single-DC scenario, restoring to a checkpoint will roll back your changes. Onlining an older backup will cause new devices/accounts to disappear, old devices to reappear, renewed certificates to become invalid, password changes to roll back... a lot of bad stuff. 

 

Have two DCs on separate hardware. If you absolutely can't have more than one physical server, a cluster-in-a-box (two virtual DCs on a single host) is an ok stopgap. If you have to do a restore, just delete the bad domain controller and make a new one and let the remaining one replicate to it. The only time you ever want to restore a DC from backup is if you had a total infrastructure loss and there wouldn't be any changes between the backup's creation and the restore anyways. 

 

I use Veeam almost exclusively and have no physical DCs. It connects to the hypervisor and backs up from there. I like the backup stuff to be its own device that replicates to cloud, and it holds a one-way trust to the production environment so ransomware or attackers can't traverse into the backup systems. 

Thank you for your isnight, the way it is now is that I have one physical server for the DC and then I have another physical server that has a VM through Hyper-V as our backup DC. Which I believe is easy to backup/restore to if need be because I know how to export import the virtual machine o that it can function properly.

 

I will definitely check out the solutions you've provided and thank you again.

[leadeater]

On 11/7/2019 at 7:33 AM, StarKiller70 said:

From my understanding of doing my own research. A Checkpoint is mainly for VM's in Hyper-V / VMWare / Virtual box, which will allow you to revert a virtual machine back to a previous point in time much like a checkpoint in a game.

Never keep VM snapshots for extended periods of time, never. While a VM has a snapshot you often cannot make any changes to that VM hardware configuration (depends on VM host platform) but more critically when a VM has a snapshot it has a change tracking disk file and this does not do anything other than get larger and larger until your storage volume is full. The increasing in size does not relate to using more storage within the VM but any changes at all, only once you remove the snapshot can this delta change file be read back in and resultant calculated, until then full change history has to be kept. If you run out of space you're pretty well screwed and can lead to complete data loss.