Show me the backups (win2k3 sp1)…

It recently came to my attention that repadmin + showbackup had no google hitsWell I’d like to fix that.

First a little back story … around I guess 2003 there had been a growing trend (of PSS whining, er I mean noticing that) customers are not taking any backups,
and many customers didn’t quite understand how application Naming
Contexts (NCs) are not replicated to every Domain Controller (thus the
old adage of “backup one DC from every domain” was stale) … and so
people would be missing critical data at restore time … with restore
being like the 3rd worst time to be missing critical data, but the most
likely time to call PSS, PSS asked if
we could help, and we / AD dev
drunk when they asked, had time on our hands, tired of feeling guilty
about our in-box monitoring tools story, felt like “putting the feature
back in service pack”, maybe we were bored… whoa is this my outside
happily said what can we do to help…

So to address this issue, for Win2k3 SP1 we hashed out adding the ability for DCs
to log an event
(Event ID 2089) if a Naming Context is not being backed up regularly
within a certain latency.  The default latency is 1/2 the tombstone
lifetime (too long IMNHO) … oh and there is a reason this event won’t be logged for an NC, but whatever … this is not
a post about that mechanism / event
(more on it someday), besides we’re not even sure most admins are
capable of reading the event logs (is that too insulting …where is the line?  I can never tell?) …

OK, event logs are fine, but you want to know now!  When I
added the 2089 event to AD, I added the /showbackup command to
repadmin.  This basically can show when backups were taken of
various writable NCs the DC hosts. (this block may make the post wide, probably mess stuff up, but anyway here is the output of the command):

C:\bin\rel\win2k3\sp1\x86fre>repadmin.exe /showbackup mycorp-dc-02

Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
329205835 084f51ed-d53e-4bad-83db-28694870fdb9 127958011 2006-02-08 02:51:22 197 dSASignature
329258203 084f51ed-d53e-4bad-83db-28694870fdb9 127958010 2006-02-08 02:51:22 202 dSASignature
330447680 e0cc9580-1546-4da9-af2b-0929c37a378a 68598018 2006-02-09 02:14:56 897 dSASignature
330447359 e0cc9580-1546-4da9-af2b-0929c37a378a 68598017 2006-02-09 02:14:56 898 dSASignature
329205750 084f51ed-d53e-4bad-83db-28694870fdb9 127958006 2006-02-08 02:51:20 205 dSASignature

Obviously the green is showing you can basically see when the DomainDnsZones was last
backup.  You can probably guess from this output how we are tracking the last backup too.  Note: This tracking can only be done if a DC you’re taking backups on is upgraded to Win2k3 SP1.

And of
course “repadmin /showbackup *” should work if you want to capture the
last backup time across all NCs (which means hitting all DCs, thus the
*).  Don’t assume your backup software is smart enough to understand where the NCs are instantiated / replicated to.

It’s funny (or embarressing, depending on who you are) 2 years after coding something, you review it, and immediately see everything you screwed up…

  • The above command should’ve resolved the
    Orig DC invocation IDs into DC names, so you could know where that
    backup was taken.  That’s just fricken
    sloppy, sorry about that.  I really piss me off sometimes.
  • In retrospect it would have been better to add
    another partition test to dcdiag.  That would’ve been way sweeter,
    fails if over timestamp latency, and /v would print out how old the
    last backup is, and what DC it was taken on.
  • Would’ve
    been cool to add to ntdsutil the ability to control the backup latency
    event’s sensitity on a per partition basis.  The feature has this
    ability today it is just not exposed, instead you’ve got to use a reg
    key (which I don’t recommend).
  • This was actually from a corp DC, but I
    changed the names … but it makes me wonder if that’s right our child
    domains aren’t being backed up, or there is a bug in the tool /
    mechanism?  Those are partial replicas though, it might not being working on partial
    replicas … that’s an excercise for the reader … let me know.

So there you have it repadmin /showbackup, as
any self respecting admin, I suggest you move “Try a test restore of our
backups” to the bottom of your TODO list, and play with this repadmin
command instead.  No, no don’t worry the restore will just work if you need it, play with this instead.

Well, that is IMNHO only about 1/2 a post
… I didn’t even get to the Backup FSMO role (some other time hopefully) … but
tis all I have time for now, sorry.

OK, they CAN NOT be serious, I only have a
single sans-serif
font to choose from!?  Oh, and that font (Arial) even has a sertif on lower case-t.  Verdana
has serifs on upper case I, but it is mostly serifless.  Guh, I’m not sure I can actually live with
blogging in
this medium, alright Verdana it is,
god I miss my Mac …

Oh and if you’re wondering it was Mr “Grillenmeier, Guido” that was the unintentional catalyst to my first post, not the more derisive elements of my life.

BrettSh [msft]
Building #7 Garage Door Operator

P.S. – I still am not quite happy with my categories yet, and I
still don’t have my Orange theme back, (remorseful voice) it was a
really good theme.  But at least I can complain now as I’m

Comments (79)

  1. michkap says:

    Woo hoo! Brett’s blogging! You can do fascinating things with a bit of blog pimping in the CSS and other places, too….

  2. Anonymous says:

    Who the hell are you, and what did you do with the real Brett?

  3. Anonymous says:

    hey Brett – good to see that a question of mine combined with the lack of google hits to its answer initiated you to post your first blog entry 🙂

    I checked out the /showbackup function right away and it works nicely!

    > but it makes me wonder if that’s right our

    > child domains aren’t being backed up, or

    > there is a bug in the tool / mechanism?  

    > Those are partial replicas though, it might

    > not being working on partial replicas …

    > that’s an excercise for the reader … let

    > me know.

    nope, no bug – it’s just that by default, the dSASignature schema attribute is not in the PAS – so it won’t replicate to GCs.  Certainly nothing you could have changed in the SP, but I’ve added dSASignature to the PAS and now a single GC will inform me of the replication status of any AD domain partition (and the DC that last backed up the respective partition), which is cool.

    Naturally, app partitions such as DNS are only backed up (and reported) on those DCs, which host the app partition.

    I’ll send you some results of my tests offline. Still have to check out a few other things around this feature.

    Thanks for the valuable post.


  4. Anonymous says:

    btw, google has already found your post as well 🙂

    sorry to say that information on repadmin showbackup still can’t be found via MSNsearch 🙁

  5. AdiOltean says:

    >> So there you have it repadmin /showbackup, as any self respecting admin, I suggest you move "Try a test restore of our backups" to the bottom of your TODO list, and play with this repadmin command instead.  No, no don’t worry the restore will just work if you need it, play with this instead.

    Could you do a partial test by restoring your domain controllers to a series of Virtual Server guest instances? (with an isolate, private net connecting all of them).

    That would work of course if your "restore set" does not have dependencies on other computers on the network…

  6. Anonymous says:

    Finally! The wait is over. Brett Shirley started to blog. As I expected, Brett started with a highly…

  7. Anonymous says:

    could be good to have a "repadmin /showbackup *" to be added into the DirSvc version of MPSReports?

    Keep up the blogging – it’s great!

  8. Anonymous says:


  9. Anonymous says:


  10. Anonymous says:


  11. Anonymous says:

    セレブ達は一般の人達とは接する機会もなく、その出会う唯一の場所が「逆援助倶楽部」です。 男性はお金、女性はSEXを要求する場合が多いようです。これは女性に圧倒的な財力があるから成り立つことの出来る関係ではないでしょうか?

  12. Anonymous says:


  13. Anonymous says:


  14. Anonymous says:


  15. Anonymous says:


  16. Anonymous says:


  17. Anonymous says:


  18. Anonymous says:

    何回かメールして会える人一緒に楽しいことしょ?お給料もらったばかりだからご飯くらいならごちそうしちゃうょ♪ とりあえずメールくださぃ★

  19. Anonymous says:


  20. Anonymous says:


  21. Anonymous says:


  22. Anonymous says:


  23. Anonymous says:


  24. Anonymous says:


  25. Anonymous says:


  26. Anonymous says:


  27. Anonymous says:


  28. Anonymous says:


  29. Anonymous says:

    熟女だって性欲がある、貴方がもし人妻とSEXしてお金を稼ぎたいのなら、一度人妻ワイフをご利用ください。当サイトには全国各地からお金持ちのセレブたちが集まっています。女性から男性への報酬は、 最低15万円からと決めております。興味のある方は一度当サイト案内をご覧ください

  30. Anonymous says:


  31. Anonymous says:


  32. Anonymous says:


  33. Anonymous says:


  34. Anonymous says:


  35. Anonymous says:


  36. Anonymous says:


  37. Anonymous says:

    最近してないし欲求不満です。一緒にいやらしいことしませんか?エッチには自信あるよ(笑) メール待ってるよ☆

  38. Anonymous says:


  39. Anonymous says:


  40. Anonymous says:


  41. Anonymous says:


  42. Anonymous says:


  43. Anonymous says:


  44. Anonymous says:

    誰か満足させてくれる人いませんか?めんどくさいこと抜きでしよっ♪ とりあえずメールして☆

  45. Anonymous says:


  46. Anonymous says:


  47. Anonymous says:


  48. Anonymous says:


  49. Anonymous says:


  50. Anonymous says:


  51. Anonymous says:


  52. Anonymous says:


  53. Anonymous says:


  54. Anonymous says:


  55. Anonymous says:


  56. Anonymous says:


  57. Anonymous says:


  58. Anonymous says:


  59. Anonymous says:


  60. Anonymous says:


  61. Anonymous says:


  62. Anonymous says:


  63. Anonymous says:


  64. Anonymous says:


  65. Anonymous says:


  66. Anonymous says:


  67. Anonymous says:


  68. Anonymous says:


  69. Anonymous says:


  70. Anonymous says:


  71. Anonymous says:


  72. Anonymous says:


  73. Anonymous says:


  74. Anonymous says:

    No repadmin /showbackup on sp2, but the event keeps appearing.

    Any updates about what changed on this subject on sp2?