Show me the backups (win2k3 sp1)...

It recently came to my attention that repadmin + showbackup had no google hits!  Well I'd like to fix that.

First a little back story ... around I guess 2003 there had been a growing trend (of PSS whining, er I mean noticing that) customers are not taking any backups,
and many customers didn't quite understand how application Naming
Contexts (NCs) are not replicated to every Domain Controller (thus the
old adage of "backup one DC from every domain" was stale) ... and so
people would be missing critical data at restore time ... with restore
time
being like the 3rd worst time to be missing critical data, but the most
likely time to call PSS, PSS asked if
we could help, and we / AD dev (were
drunk when they asked, had time on our hands, tired of feeling guilty
about our in-box monitoring tools story, felt like "putting the feature
back in service pack", maybe we were bored... whoa is this my outside
voice?) happily said what can we do to help...

So to address this issue, for Win2k3 SP1 we hashed out adding the ability for DCs
to log an event
(Event ID 2089) if a Naming Context is not being backed up regularly
within a certain latency. The default latency is 1/2 the tombstone
lifetime (too long IMNHO) ... oh and there is a reason this event won't be logged for an NC, but whatever ... this is not
a post about that mechanism / event
(more on it someday), besides we're not even sure most admins are
capable of reading the event logs (is that too insulting ...where is the line? I can never tell?) ...

OK, event logs are fine, but you want to know now! When I
added the 2089 event to AD, I added the /showbackup command to
repadmin. This basically can show when backups were taken of
various writable NCs the DC hosts. (this block may make the post wide, probably mess stuff up, but anyway here is the output of the command):

 C:\bin\rel\win2k3\sp1\x86fre>repadmin.exe /showbackup mycorp-dc-02

Loc.USN                          Originating DC   Org.USN  Org.Time/Date          Ver Attribute
=======                          =============== ========= =============          === =========
DC=DomainDnsZones,DC=MyCorp,DC=com
329205835     084f51ed-d53e-4bad-83db-28694870fdb9 127958011 2006-02-08 02:51:22  197 dSASignature
DC=ForestDnsZones,DC=MyCorp,DC=com
329258203     084f51ed-d53e-4bad-83db-28694870fdb9 127958010 2006-02-08 02:51:22  202 dSASignature
CN=Schema,CN=Configuration,DC=MyCorp,DC=com
330447680     e0cc9580-1546-4da9-af2b-0929c37a378a  68598018 2006-02-09 02:14:56  897 dSASignature
CN=Configuration,DC=MyCorp,DC=com
330447359     e0cc9580-1546-4da9-af2b-0929c37a378a  68598017 2006-02-09 02:14:56  898 dSASignature
DC=MyCorp,DC=com
329205750     084f51ed-d53e-4bad-83db-28694870fdb9 127958006 2006-02-08 02:51:20  205 dSASignature
DC=UnLovedOlderChild,DC=MyCorp,DC=com
DC=UnLovedYoungerChild,DC=MyCorp,DC=com

Obviously the green is showing you can basically see when the DomainDnsZones was last
backup. You can probably guess from this output how we are tracking the last backup too. Note: This tracking can only be done if a DC you're taking backups on is upgraded to Win2k3 SP1.

And of
course "repadmin /showbackup *" should work if you want to capture the
last backup time across all NCs (which means hitting all DCs, thus the
*). Don't assume your backup software is smart enough to understand where the NCs are instantiated / replicated to.

It's funny (or embarressing, depending on who you are) 2 years after coding something, you review it, and immediately see everything you screwed up...

  • The above command should've resolved the
    Orig DC invocation IDs into DC names, so you could know where that
    backup was taken. That's just fricken
    sloppy, sorry about that. I really piss me off sometimes.
  • In retrospect it would have been better to add
    another partition test to dcdiag. That would've been way sweeter,
    fails if over timestamp latency, and /v would print out how old the
    last backup is, and what DC it was taken on.
  • Would've
    been cool to add to ntdsutil the ability to control the backup latency
    event's sensitity on a per partition basis. The feature has this
    ability today it is just not exposed, instead you've got to use a reg
    key (which I don't recommend).
  • This was actually from a corp DC, but I
    changed the names ... but it makes me wonder if that's right our child
    domains aren't being backed up, or there is a bug in the tool /
    mechanism? Those are partial replicas though, it might not being working on partial
    replicas ... that's an excercise for the reader ... let me know.

So there you have it repadmin /showbackup, as
any self respecting admin, I suggest you move "Try a test restore of our
backups" to the bottom of your TODO list, and play with this repadmin
command instead. No, no don't worry the restore will just work if you need it, play with this instead.

Well, that is IMNHO only about 1/2 a post
... I didn't even get to the Backup FSMO role (some other time hopefully) ... but
tis all I have time for now, sorry.

OK, they CAN NOT be serious, I only have a
single sans-serif
font to choose from!? Oh, and that font (Arial) even has a sertif on lower case-t. Verdana
has serifs on upper case I, but it is mostly serifless. Guh, I'm not sure I can actually live with
blogging in
this medium, alright Verdana it is, god I miss my Mac ...

Oh and if you're wondering it was Mr "Grillenmeier, Guido" that was the unintentional catalyst to my first post, not the more derisive elements of my life.

Cheers,

BrettSh [msft]

Building #7 Garage Door Operator

P.S. - I still am not quite happy with my categories yet, and I
still don't have my Orange theme back, (remorseful voice) it was a
really good theme. But at least I can complain now as I'm
blogging^H^H^H^Hed.