How long can I use my Active Directory Backup

During my daily work I encounter a lot of confusion about this topic.

Let’s first discuss couple of basic things about the backup of Active Directory and why it is so important to use a Microsoft supported solution.

When we are in a Disaster Recovery scenario and we need to restore our Active Directory forest we want to know that we can rely on Microsoft for help. In order to be able to do this we need to use a supported solution which is Windows Server backup.

What is the first step in our Disaster Recovery process?

Document your infrastructure! Document your topology!

What should we document?

  • The forest name
  • All domain names (root and child domain names, including NETBIOS name)
  • Domain Controller names, IP addresses, gateway, DNS settings, VLAN
  • What Site my domain controller is in?
  • The sites topology, site links, replication schedules, connection objects (aka replication topology)
  • Owner of the FSMO roles
  • What kind of backup we are taking from that Domain Controller? (Full Server Backup, System state, Bare metal ?)
  • What hardware I am running on ?
  • What virtualization platform I am using?

The next step is to take a proper backup. Modern Windows Server backup operating systems are not coming with Windows Server Backup installed by default, so the first thing would be to install it. To do that you need to go to Server Manager, Manage, add Roles and Features, go to features and select Windows Server backup, then install it.

After you install it go to Server Manager, Tools and Windows Server Backup

After Windows Server Backup has started, clock on Local Backup then go on the right side to Backup Schedule.

After the wizard starts click on Next, then you have two options: Full Server (recommended) or Custom.

If we select Full Server then all the needed data will be backed up, including Bare Metal recovery, System State, Recovery partition, and the content of the disk drives.

If we select Custom then we need to go click on Add items

Then the selection part opens

What should we backup from here? The answer is: it depends. If we want to be able to perform a full forest recovery then we should backup everything (at least Bare Metal recovery, System State, recovery partition and the C: Drive). If we want to perform a non-authoritative restore of Active Directory we can backup the System State.

After we decide what to backup we need to decide where we will point the backup – dedicated disk, a volume or a network share. Microsoft’s recommendation is to backup to a dedicated disk.

I will backup the full server to a disk.

After clicking Finish the disk will be formatted and will be used for the backup.

The backup will run as scheduled.

To answer the question: How long can I use my Active Directory backup? The answer is for: the duration of your Tombstone Lifetime setting. If your forest was started back in the 2003 days or older the default setting will be 60 days, starting with Windows Server 2008 is 180 days.

So the answer will be: for 60 or 180 days from the moment you took your backup, depending on your tombstone lifetime!

I will discuss about the tombstone lifetime in a different article.

System Center Virtual Machine Manager 2019 Update Rollup 1 available

The first update rollup for SCVMM 2019 has been release by Microsoft on February 4th.

This fixes several issues:

  • Unable to add Windows Server 2019 hosts in untrusted domain to SCVMM.
  • Changes to VM network adapter or VM network overwrites associated ACL.
  • Unable to pull LLDP information on pNICs bount to a vSwitch.
  • Long running service template deployments time out after 3 hours. Timeout parameter can now be configured to time above 3 hours using the HKLM\Software\Microsoft\Microsoft System Center Virtual Machine Manager Server\Settings\GuestCommunicatorStatusTimeoutSecs registry key to any desired value.
  • VMM service experiences high memory usage with large number of objects created in tbl_ADHC_HostVolume
  • Unable to assign VM network to VMs on the hosts
  • Automatic Dynamic Optimization fails on clusters in untrusted domain
  • VMM jobs take long time to run whenever there is VMM server fail over to another node. 
  • Storage Provider Refresh fails when the NIC has no MAC present.
  • Unable to create a file share with the same name on different file servers through SCVMM console.
  • Cluster creation fails when VMM service is running under gMSaccount with ‘Access denied’ exception.
  • In addition to these, all the issues fixed in System Center 2016 VMM UR8 and prior URs for VMM 2016 are also fixed in System Center VMM 2019 UR1. 

New Features have been added into SCVMM 2019:

  • Ability to deploy Ubuntu 18.04 VMs
  • Nested virtualization can be enabled via VM templates, service templates and also when creating a new VM from the console
  • Cluster rolling upgrade is now supported for S2D clusters.
  • Deduplication is supported on ReFS volumes for Hyperconverged and SOFS
  • Storage DO (Dynamic Optimization) – helps in preventing cluster shared storage (CSV and file shares) from becoming full due to expansion/new VHDs placed on the cluster shared storage. You can now set a threshold value to trigger a warning when free storage space in the cluster shared storage falls below the threshold, during a new disk placement or auto migration of VHDs to other shared storage in the cluster
  • Support for storage health monitoring
    Storage health monitoring helps you to monitor the health and operational status of storage pool, LUNs, and physical disks in the VMM fabric. You can monitor the storage health in the Fabric page of VMM console.
  • VMM 2019 supports configuration of SLB VIPs while deploying multi-tier application by using the service templates
  • VMM 2019 supports encryption of VM networks. Using the new encrypted networks feature, end-to-end encryption can be easily configured on VM networks by using the network controller (NC). This encryption prevents the traffic between two VMs on the same network and same subnet, from being read and manipulated. The control of encryption is at the subnet level and encryption can be enabled/disabled for each subnet of the VM network.
  • In VMM 2019, you can configure Layer 3 forwarding gateway using the VMM console
  • Support for Static MAC address on VMs deployed on a VMM cloud
    This feature allows you to set static MAC address on VMs deployed on a cloud. You can also change the MAC address from static to dynamic and vice versa for the already deployed VMs.
  • Azure Integration – VM update management through VMM using Azure Automation Subscription. VMM 2019 is introducing the possibility of patching and updating on-prem VMs (managed by VMM) by integrating VMM with Azure automation subscription.
  • New RBAC Role – Virtual Machine Administrator
    In a scenario where enterprises want to create a user role for troubleshooting, it is necessary that the user has access to all the VMs so the user can make any required changes on the VMs to resolve the issue. There is also a need for the user to have access to the fabric to identify the root cause for the issue. However, for security reasons, this user should not be given the privileges to make any changes on the fabric (such as add storage, add hosts etc. The current role-based access control (RBAC) in VMM does not have a role defined for this persona and the existing roles of Delegated Admin and Fabric admin have too little or more than necessary permissions to perform just troubleshooting. To address this issue, VMM 2019 supports a new role called Virtual Machine Administrator. The user of this role has Read and Write access to all VMs but read-only access to the fabric.
  • Group Managed Service Account (gMSA) helps improve the security posture and provides convenience through automatic password management, simplified service principle name (SPN) management, and the ability to delegate the management to other administrators. VMM 2019 supports the use of gMSA for Management server service account.

New features added by Update Rollup 1:

  • Support for management of replicated library shares
    Large enterprises, usually have multi-site datacenter deployments to cater to various offices across globe. These enterprises typically have a locally available library server to access files for VM deployment than accessing the library shares from a remote location. This is to avoid any network related issues one might experience. However, library files need to be consistent across all the datacenters to ensure uniform VM deployments. To maintain uniformity of library contents, organizations use replication technologies. VMM now supports the management of library servers, which are replicated. You can use any replication technologies such as DFSR and manage the replicated shares through VMM.
  • Configuration of DCB settings on S2D clusters
    Remote Direct Memory Access (RDMA) in conjunction with Data Center Bridging (DCB) helps to achieve similar level of performance and losslessness in an Ethernet network as in fiber channel networks. VMM 2019 UR1 supports configuration of data center bridging (DCB) on S2D clusters.

Note

You must configure the DCB settings consistently across all the hosts and the fabric network (switches). A mis-configured DCB setting in any one of the host/fabric device is detrimental to the S2D performance.

  • User experience improvements in logical networks
    In VMM 2019 UR1, user’s experience while creating logical networks has been enhanced. Logical networks are now grouped in product description, based on use-cases. Also, provided illustration for each logical network type and a dependency graph.
  • Additional options to enable nested virtualization
    You can now enable nested virtualization while creating a new VM, deploying VMs through VM templates and service templates. In earlier releases, nested virtualization is supported only on deployed VMs. Learn more about enabling nested virtualization.

System Center Virtual Machine Manager ports and protocols.

Port and protocol exceptions

Connect Port/protocol Details Configure
VMM server to VMM agent on Windows Server-based hosts/remote library server 80: WinRM; 135: RPC; 139: NetBIOS; 445: SMB (over TCP) Used by the VMM agent

Inbound rule on hosts

Can’t modify
VMM server to VMM agent on Windows Server-based hosts/remote library server 443:HTTPS BITS data channel for file transfers

Inbound rule on hosts

Modify in VMM setup
VMM server to VMM agent on Windows Server-based hosts/remote library server 5985:WinRM Control channel

Inbound rule on hosts

Modify in VMM setup
VMM server to VMM agent on Windows Server-based hosts/remote library server 5986:WinRM Control channel (SSL)

Inbound rule on hosts

Can’t modify
VMM server to VMM guest agent (VM data channel) 443:HTTPS BITS data channel for file transfers

Inbound rule on machines running the agent

The VMM guest agent is a special version of the VMM agent. It’s is installed on VMs that are part of a service template, and on Linux VMs (with or without a service template).

Can’t modify
VMM server to VMM guest agent (VM control channel) 5985:WinRM Control channel

Inbound rule on machines running the agent

Can’t modify
VMM host to host 443:HTTPS BITS data channel for file transfers

Inbound rule on hosts and VMM server

Modify in VMM setup
VMM server to VWware ESXi servers/Web Services 22:SFTP

Inbound rule on hosts

Can’t modify
VMM server to load balancer 80:HTTP; 443:HTTPS Channel used for load balancer management Modify in load balancer provider
VMM server to remote SQL Server database 1433:TDS SQL Server listener

Inbound rule on SQL Server

Modify in VMM setup
VMM server to WSUS update servers 80/8530:HTTP; 443/8531:HTTPS Data and control channels

Inbound rule on WSUS server

Can’t modify from VMM
VMM library server to Hyper-V hosts 443:HTTPS BITS data channel for file transfers

Inbound rule on hosts – 443

Modify in VMM setup
VMM console to VMM WCF:8100 (HTTP); WCF:8101 (HTTPS); Net.TCP: 8102 Inbound rule on VMM console machine Modify in VMM setup
VMM server to storage management service WMI Local call
Storage management service to SMI-S provider CIM-XML Provider-specific
VMM server to Baseboard Management Controller (BMC) 443: HTTP (SMASH over WS-Management) Inbound rule on BMC device Modify on BMC device
VMM server to Baseboard Management Controller (BMC) 623: IPMI Inbound rule on BMC device Modify on BMC device
VMM server to Windows PE agent 8101:WCF; 8103:WCF 8101 is used for control channel, 8103 is used for time sync Modify in VMM setup
VMM server to WDS PXE provider 8102: WCF Inbound rule on PXE server
VMM server to Hyper-V host in untrusted/perimeter domain 443:HTTPS (BITS) BITS data channel for file transfers

Inbound rule on VMM server

Library server to Hyper-V host in untrusted/perimeter domain 443:HTTPS BITS data channel for file transfers

Inbound rule on VMM library

VMM server to Windows file server 80: WinRM; 135: RPC; 139: NetBIOS; 445: SMB (over TCP) Used by the VMM agent

Inbound rule on file server

VMM server to Windows file server 443:HTTPS BITS used for file transfer

Inbound rule on file server

VMM server to Windows file server 5985/5986:WinRM Control channel

Inbound rule on file server

For more information read the Microsoft docs here: https://docs.microsoft.com/en-us/system-center/vmm/plan-ports-protocols?view=sc-vmm-2019

“Watch” command in Windows

These days I needed to be able to check on the execution of a repetitive task. If I would use linux I could use the watch command but I am a Windows guy.

So I came up with an alternative – I created a bat file with the below content:

@ECHO OFF
:loop
  cls
  %*
  timeout /t 5
goto loop

To change the duration of the loop change the timeout /t 5 value (now it is 5 seconds).

Usage is similar to linux: watch dir *.jpg