commvault.com commvault.com
Question

1-Touch resore for domain controller (Active Directory)

  • 30 January 2024
  • 6 replies
  • 163 views
M
Rank
Badge +4

Hello everyone!

I’m facing an issue with a 1-Touch restore for Active Dicrectory domain controllers.

We have the same issues in our lab and in customer production environment.

Backups are completed fine, with system state selected (no issues).

During the 1-Touch restore (authoritative for first DC and non-authoritative for secondary) we see few files from SYSVOL which failed to restore as below:

 

“\[System State]\Components\DFS Replication services\C\Windows\SYSVOL\domain\DfsrPrivate\ConflictAndDeleted\   [DATA]   [ Reason:    FAILED ]   ->   (Failed)
\[System State]\Components\DFS Replication services\C\Windows\SYSVOL\domain\DfsrPrivate\Deleted\   [DATA]   [ Reason:    FAILED ]   ->   (Failed)
\[System State]\Components\DFS Replication services\C\Windows\SYSVOL\domain\DfsrPrivate\Installing\   [DATA]   [ Reason:    FAILED ]   ->   (Failed)
\[System State]\Components\DFS Replication services\C\Windows\SYSVOL\sysvol\msl.local\DfsrPrivate\ConflictAndDeleted\   [DATA]   [ Reason:    FAILED ]   ->   (Failed)
\[System State]\Components\DFS Replication services\C\Windows\SYSVOL\sysvol\msl.local\DfsrPrivate\Deleted\   [DATA]   [ Reason:    FAILED ]   ->   (Failed)
\[System State]\Components\DFS Replication services\C\Windows\SYSVOL\sysvol\msl.local\DfsrPrivate\Installing\   [DATA]   [ Reason:    FAILED ]   ->   (Failed)”

 

Restore job is completed with errors. Sometimes it failed with 6 files, sometimes with 8 and sometimes with an even higher value, but mostly it refers to SYSVOL and DFSR service.

Can we fix it somehow? maybe someone was working on similar issue?

 

Thanks in advance for help :)

Best Regards,

Matt

6 replies

S
Rank
Userlevel 1
Badge +5

Hello Matt,

 

Please see current update as we are currently checking internally.

Thanks.

 

S
Rank
Userlevel 1
Badge +5

Matt, 

 

We checked internally, and a note has been added for Active Directory using 1-touch in FR32 and higher.

  • To restore Active Directory using 1-Touch Recovery, in the System State area, select Non-Authoritative from the Restore Option for SYSVOL drop-down box.

Performing an Interactive Bare Metal Recovery Using 1-Touch for Windows (commvault.com)

 

Also regarding DFSR, this is considered a non-critical system state component.

Critical and Non-Critical System State Components for Windows File System (commvault.com)

But we will check internally with our software engineering team on this error in 1-touch.

 

M
Rank
Badge +4

Hello,

Thank you very much for the tips.

I’m testing the restore of this DC in “Active Directory repair” but i’m getting the same failures (even more files are failing in this mode).

 

“To restore Active Directory using 1-Touch Recovery, in the System State area, select Non-Authoritative from the Restore Option for SYSVOL drop-down box.” - I heard that non-authoritative restore is preferred way but only when we restore a secondary DC. If we lost all DC’s then we should restore the first one with authoritative option selected.

I will test it further, it would be great to make this restore completed but without errors, to avoid explaining to the customer that the files which failed during restore - are not critical.

Regards,

Matt

S
Rank
Userlevel 1
Badge +5

Hello Matt,

Our team followed up on some clarification for the DC restores:
 

“The need for Non-Authoritative or Authoritative depends on the purpose of the recovery.

If the customer wants all the AD related updates (like group policies etc.) from other DCs in the environment to be replicated to the machine after the 1-Touch recovery is complete (which is usually the case), then they should go for Non-Authoritative restore.

If they want all the DCs to have the same updates as at the time of backup, then Authoritative restore is the way – this would mean that updates post backup even on other DCs will be removed, and the DC status at the time of the backup will prevail on all DCs some time after restore completion.

If all the DCs are lost, they should go for an authoritative restore for the 1st one, followed by Non-Authoritative for the rest.”

 

We are still checking on the DFSR errors you are getting, but since this Component is non-critical as mentioned, we do not think it will affect a successful restore of the server.

 

If your 1-touch AD restore is failing, then please open a support case with logs so we can review.

Please let us know if you have any questions.

 

Regards,

Shawn Haley

Commvault Support, Tier 2 Client

M
Rank
Badge +4

Hello,

Thanks for the answer.

This section is 100% clear:

“The need for Non-Authoritative or Authoritative depends on the purpose of the recovery.

If the customer wants all the AD related updates (like group policies etc.) from other DCs in the environment to be replicated to the machine after the 1-Touch recovery is complete (which is usually the case), then they should go for Non-Authoritative restore.

If they want all the DCs to have the same updates as at the time of backup, then Authoritative restore is the way – this would mean that updates post backup even on other DCs will be removed, and the DC status at the time of the backup will prevail on all DCs some time after restore completion.

If all the DCs are lost, they should go for an authoritative restore for the 1st one, followed by Non-Authoritative for the rest.”

 

We are doing it that way and DC’s are working OK. But the job is indeed completed with errors, which can confuse the user. But after the restore of two DC’s (both restored with errors in DFSR) they both are working fine for now. Even DFSR service is replicate with no issues.

Thank you for your time and effort :)

Have a great day!

Regards,

Matt

S
Rank
Userlevel 1
Badge +5

Hello Matt,

 

Our team updated with the following:

Regarding a preferred method of DC restores:

Both methods are acceptable, but we recommend 1-Touch.

 

Regarding the DFSR errors:

Those files are non-critical AD items within DFSR. These are staging files, and they will not impact the system state AD restore. These cached items are managed by DFSR service – which itself should recreate these folders post restore.

 

Hope you find this information helpful.  As mentioned, if you are having issues with this restore, please open a case with our support team to review.

 

Thanks,

 

Shawn Haley

Commvault Support, Tier 2 Client

Hotline: 877-780-3077

Web: http://www.commvault.com

Reply


Terms & ConditionsCookie settings