Backing up Win2k Server user accounts?

[aceO07]

I'm running Win2k Server w/ active directory. I need to be able to backup the users and restore them. Is there an easy way of doing this?

I've looked into LDIFDE but it doesn't seem to import back the file I exported (from the same computer).

 

[daveshel]

A system state backup will include the sysvol folder, but I can't tell what you are really trying to accomplish.

 

[aceO07]

I want to make a backup of all the user accounts on the Win2k Server to a file. Then I want to be able to use that file to restore the user account to the server again if need be.

 

[Woodie]

I'm pretty sure you can't do that.

System State backs up the whole user database, not just individual users.

What exactly are you trying to accomplish? You want to delete a user, but then add them back when they are re-hired?

It's customary to *disable* a user account when it's no longer needed, then wait some period of time, to make sure the account isn't really needed. Finally, *delete* it days/weeks later, when management is sure they don't need that user any more.

 

[daveshel]

Originally posted by: aceO07
I want to make a backup of all the user accounts on the Win2k Server to a file. Then I want to be able to use that file to restore the user account to the server again if need be.

Both ldifde and csvde can be used for import as well as export.

link

link

 

[aceO07]

Originally posted by: daveshel
Both ldifde and csvde can be used for import as well as export.

link

link

How do I do a ldifde import? I can't see to do it normally, even with the file I created from an export. It gives me a SAM error.

 

[aceO07]

Originally posted by: Woodie
I'm pretty sure you can't do that.

System State backs up the whole user database, not just individual users.

What exactly are you trying to accomplish? You want to delete a user, but then add them back when they are re-hired?

It's customary to *disable* a user account when it's no longer needed, then wait some period of time, to make sure the account isn't really needed. Finally, *delete* it days/weeks later, when management is sure they don't need that user any more.

I just want to have a backup of the users in case anything happened to the system. I have images of the system, but since users change more frequently than I make images I need a way to restore the most current users.

 

[Woodie]

Hmmm. We do a system state backup (to HD) on several of the DCs every night Then we do a tape backup nightly, most of them incremental, so the SS Backup is available for an authoritative restore on a nightly basis.

<crossing fingers> We haven't had to do an authoritative restore in production, yet. (~34,000 user accounts).

Wait...you said "system"....you only have a single DC?

 

[aceO07]

Yup, there's just that one DC.

 

[Woodie]

Originally posted by: aceO07
Yup, there's just that one DC.

🙁 OK....you have more than just one "issue"!

Good luck!

 

[aceO07]

Originally posted by: Woodie

Originally posted by: aceO07
Yup, there's just that one DC.

🙁 OK....you have more than just one "issue"!

Good luck!

huh? What are you referring to?

 

[stash]

System State backs up the whole user database, not just individual users

True, but you can do authoritative restores of individual objects using the 'restore subtree' option in ntdsutil.

huh? What are you referring to?

He's means it's a bad idea to run your directory on a single DC...it's a single point of failure for your entire domain. An additional DC would give you much needed redundancy and also make your disaster recovery process much simpler.

 

[stash]

More...

I just want to have a backup of the users in case anything happened to the system. I have images of the system, but since users change more frequently than I make images I need a way to restore the most current users.

Imaging of domain controllers (such as with Ghost) is not supported. It will make an absolute mess of your AD: http://support.microsoft.com/?kbid=875495

The best course of action here is to add another DC and perform system state backups (at minimum) of both machines on a regular basis. That will cover just about every contingency.

 

[aceO07]

Originally posted by: STaSh
He's means it's a bad idea to run your directory on a single DC...it's a single point of failure for your entire domain. An additional DC would give you much needed redundancy and also make your disaster recovery process much simpler.

Thanks for the explaination. I'm new to windows server administration. Can you recommend any good literature?

 

[stash]

Can you recommend any good literature?

Sure, can you be more specific? 🙂 Windows server administration is a massively broad topic. As is Active Directory administration.

 

[aceO07]

Originally posted by: STaSh

Can you recommend any good literature?

Sure, can you be more specific? 🙂 Windows server administration is a massively broad topic. As is Active Directory administration.

yea, you got a point. That one DC is the only one since that's all I thought I'd need. I'm running Citrix on it, though that's not recommended either. Decisions made by my lack of knowledge, budget and time. I'm just trying to make sure that if that one server explodes, I'll have an easier/faster path to recovery based on my current setup... 😕

 

[stash]

Well, it all depends on what kind of level of risk you are willing to take. You are certainly not alone in running a single server for everything. Many smaller networks don't have the resources to have dedicated servers for each application or redundant servers. Not every network is running mission critical applications, and not every firm will lose millions in revenue every hour that the network and/or application is unavailable. Microsoft even offers Small Business Server, which is designed to run everything on one box.

If you perform backups (standard and system state) of your system, it is certainly possible to develop a disaster recovery plan with a single server. Your network will suffer longer downtime, and there will be more work involved to restore service, but it is possible.