Cohesity AD Restore

397 views
Skip to first unread message

Charles F Sullivan

unread,
Aug 25, 2023, 11:56:57 AM8/25/23
to ntsys...@googlegroups.com
Is anyone using Cohesity to backup AD? We switched over to it less than a year ago and it's handled by a separate group, but they do have a VM image backup as well as an AD specific backup happening each night.

Now that I finally have time to do so I'm looking into what exactly I would need to do for an emergency restore of AD (compromise, corrupt AD DB, etc.). I won't say I've done an exhaustive search, but I have spent a good amount of time trying to find the right information. All I find are articles for restoring objects and OUs, which I have tested successfully, though much more likely to be done via the AD Recycle Bin. There is also "restoring a domain controller" which just has you copy over an older version of the NTDS and SYSVOL directories - Apparently for a scenario where there is only one DC for your entity.

This is what I'm looking for:
  • How to revert to a "safe" AD state in a more reasonable scenario where you have multiple DCs (basically an authoritative restore). One of the things that bugs me so far is that this product doesn't do a System State backup, so you can't use ntdsutil to do the standard authoritative restore.
  • How to test such a restore, at least to the point where I would stop before pulling the trigger.
  • Any other tips, or telling me that I have this completely wrong, or whatever.
Thanks for any help.

--

Charlie Sullivan

Principal Windows Systems Administrator

Philip Elder

unread,
Aug 26, 2023, 5:12:34 PM8/26/23
to ntsys...@googlegroups.com

How many DCs in the domain?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzmhP4V1O4ku5mRPpEmMGvmptsOAmVTq8rX4L2zF05o0HA%40mail.gmail.com.

Michael B. Smith

unread,
Aug 26, 2023, 5:35:14 PM8/26/23
to ntsys...@googlegroups.com

One of the companies I subcontract to sells a LOT of Cohesity. But I don’t like it on DCs. Otherwise, it’s great.

 

Thanks.

 

Regards,

Michael B. Smith

Managing Consultant

Smith Consulting, LLC

Philip Elder

unread,
Aug 26, 2023, 5:45:50 PM8/26/23
to ntsys...@googlegroups.com

Why would it need to be on DCs? As in the software itself?

 

We back up DCs using Veeam but that’s to a dedicated server.

 

Am I missing something?

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

Michael B. Smith

unread,
Aug 26, 2023, 5:47:32 PM8/26/23
to ntsys...@googlegroups.com

No, I mean backing up DCs with Cohesity. Most specifically AD DS.

Philip Elder

unread,
Aug 26, 2023, 5:49:12 PM8/26/23
to ntsys...@googlegroups.com

Okay, is it ADDS aware or do we still need to muck about with the BURFLAGS non-authoritative restore process for FRS and it’s registry equivalent with DFSR?

Charles F Sullivan

unread,
Aug 29, 2023, 5:27:15 PM8/29/23
to ntsys...@googlegroups.com
We have 5 DCs. Nothing in the manual says it's ADDS aware, but it doesn't mention auth restores of AD itself. As I said, the only restore instruction that comes close seems as though it's for a one DC environment, which is why there would be no need for an auth restore.

There doesn't seem to be an easy way to test this stuff out, otherwise I could answer some of my own questions. We have a closed off subnet where we test DR restores, but I can't test because there doesn't seem to be a way to safely point the Cohesity restores to DCs other than the true source.

I'm at the point where I might do a system state backup of each DC using Windows Server Backup, just to have the option to do the old ntdsutil authoritative restore.

Philip Elder

unread,
Aug 29, 2023, 6:27:08 PM8/29/23
to ntsys...@googlegroups.com

Back in the day, we had System State Backup to keep the USN state the way it should be if we ran into a problem and needed to restore our PDCe and FSMO Role Holder (we always put them all on one DC).

 

https://learn.microsoft.com/en-us/azure/backup/active-directory-backup-restore

 

The advent of imaged based backups that do not integrate a System State Backup has created a bit of a heartache for us.

 

If we do need to restore a puked DC when there’s multiple DCs involved in today’s AD environments with image based backups the simplest thing to do is to seize the FSMO Roles on an existing DC, make sure that replicates, purge the dead DC along with the requisite metadata clean-up, and then install a fresh OS, and finally DCPromo it back in then transfer the FSMO Roles.

 

It sounds like a lot, but it actually doesn’t take all that long when we force replication between the existing DCs once we’ve seized the FSMO Roles.

 

It’s always a good idea to verify that the FSMO Roles are in the right place and that every DC sees them in the correct location once in a while. Weirdness can happen. BTDT

 

# Check FSMO

Get-ADForest | Format-Table SchemaMaster,DomainNamingMaster

Get-ADDomain | Format-Table PDCEmulator,RIDMaster,InfrastructureMaster

Reply all
Reply to author
Forward
0 new messages