One important aspect of recovery feasibility is knowing how to recover from a disaster. Just knowing what to back up and what scenarios to plan for is not enough. Restore processes should be created and tested to ensure that a restore can meet service-level agreements (SLAs) and that the staff members understand all the necessary steps.

When a process is figured out, it should be documented, and the documentation should be written to make sense to the desired audience. For example, if a failure occurs in a satellite office that has only marketing employees and one of them is forced to recover a server, the documentation needs to be written so that it can be understood by just about anyone. If the IT staff will be performing the restore, the documentation can be less detailed, but assume a certain level of knowledge and expertise with the server product. The first paragraph of any document related to backup and recovery should be a summary of what the document is used for and the level of skill necessary to perform the task and understand the document.

One of the key elements to having a successful disaster recovery plan is to periodically test the restore procedures to verify accuracy and to test the backup media to ensure that data can actually be recovered. Most organizations or administrators assume that, if the backup software reports “Successful,” the backup is good and data can be recovered. If a special backup consideration is not taken care of, but the files are backed up, the successful backup may not contain everything necessary to restore a server if data loss or software corruption occurs.

Restores of not only file data, but also application data and configurations should be performed as part of a regular maintenance schedule to ensure that the backup method is correct and disaster recovery procedures and documentation are current. Such tests also should verify that the backup media can be read from and used to restore data. Adding periodic test restores to regular maintenance intervals ensures that backups are successful and familiarizes the administrators with the procedures necessary to recover so that when a real disaster occurs, the recovery can be performed correctly and efficiently the first time.

To test a reported problem, the administrator should use a test workstation. This workstation should be configured to match an end user’s workstation so that tests yield the same results the end user received. User applications should be installed on this workstation with the same settings and permissions. An alternative to having a test workstation is to use remote control software such as Remote Assistance to connect directly to the user’s workstation and witness the reported issue firsthand.

A test user account should be configured and used when troubleshooting user-reported failures or functionality issues. The test account should have the same level of privileges as the end user; otherwise, testing may yield different results.

The actual process for re-creating the failure should be known before the administrator tries to validate the failure. Usually, it’s good to start with the end user who reported the problem. If the error, failure, or issue was reported by monitoring software, the server should be checked to see whether the system appears to be functional and the services or applications are running. If the system, services, and/or applications are still running, connectivity then needs to be tested. If the application is network based, as most are, network connectivity to the server should be tested first, followed by testing the application itself using the appropriate client software.

To isolate failures associated with applications and services, the administrator needs to understand and be aware of any service dependencies. For example, if a report indicates that Internet email has not been received, the problem could be the mail server, or it could be a dependency such as the firewall or DNS server for the email domain. If the Internet DNS server for the email domain is down or offline, the failure is not the mail server but merely the Internet DNS server, because other organizations are dependent on first locating the host record for mail from that DNS server before mail can be delivered.

To determine the network dependencies of a particular network application, refer to the manufacturer’s documentation. If it is a Windows Server 2003 application, refer to Windows Server 2003 Help and Support for detailed information. If a server application runs as a Windows Server 2003 service, using the Services applet from the Administrative Tools menu, you can learn a service’s dependencies on other services or system drivers, as shown in Figure 33.1 for the Windows Server 2003 DNS Server service.

Figure 33.1. DNS Server service dependencies.

Redundant sites are created for a few reasons: First, they can be created for load balancing or providing higher performance to clients accessing the resources from different geographic locations. For example, an organization may have one site in San Francisco, California, and another in Tampa, Florida, both on different coasts of the United States. East coast clients would connect to Florida, and West coast clients would connect to California. Each site would be a mirror of the other, so the data and services provided at each location would be the same.

Another reason for redundant sites is to provide if not all the computer-based services and applications available at the main site, at least all the mission-critical resources. This way, a company can continue to function, perhaps in a limited capacity, but at least it would be able to perform most important business functions.

For more information on deciding what services and applications are most important to a business and whether they should be provided in a failover site, refer to the section “Prioritizing the Environment” in Chapter 32.

Because every organization has different requirements when it comes to designing a failover site and what it takes to fail over and eventually fail back, this section covers the basic necessities for failing over between redundant sites to be successful.

Companyabc.com is a fictitious marketing/graphic design firm headquartered in New York, New York. The company has a secondary failover location in Boston, Massachusetts. The New York site provides virtual private network (VPN) and Terminal Services for the Marketing department employees who rarely make it into the office. Because marketing is the core of Companyabc.com’s business, the VPN and Terminal Services are key to business continuity. For example, as the graphic artists develop new material for the Marketing department, the Marketing department sales force and client teams use the VPN to get the data to the client for approval. Also, the New York location houses the accounting server, which is used by employees to enter daily time sheets, which in turn are used to generate invoices to bill the clients. If the New York site becomes unavailable, VPN, Terminal Services, file servers containing client documentation, and the accounting servers must all be restored at the Boston site within a few hours of a site disaster for business continuity. In this scenario, restoring is a relatively simple task; most organizations are much more complicated than this.

When an organization decides to plan for site failures as part of a disaster recovery solution, there are many areas that need to be addressed and there can be many options to choose from. Using the Companyabc.com scenario, the biggest factors are file data and remote network connectivity through VPN and Terminal Services. This means that network connectivity is a priority, along with spare servers that can accommodate the user load. The spare servers for file data and accounting need to have enough disk space to accommodate a complete restore. As a best practice to ensure a smooth transition, the following list of recommendations provides a starting point:

Allocating hardware and making the site ready to act as a failover site are simple tasks in concept, but the actual failover and fail-back process can be troublesome. Keep in mind that the preceding list applies to failover sites, and not mirrored or redundant sites configured to provide load balancing.

Before failing over between sites can be successful, administrators need to be aware of what services need to fail over and in which order of precedence. For example, before an Exchange Server 2003 server can be restored, Active Directory domain controllers, global catalog servers, and DNS servers must be available.

As a site failure example, at Companyabc.com’s headquarters in New York, a fire in the building leaves the server room soaked in fire retardant chemicals and the servers damaged. Failing services over to the Boston location would be necessary in this case.

To keep such a cutover at a high level, the following tasks need to be executed in a timely manner:

When the initial site is back online and available to handle client requests and provide access to data and networking services and applications, it is time to consider failing back the services. This can be a controversial subject because fail-back procedures are normally more difficult than the initial failover procedure, but usually only when database servers are involved. Most organizations plan on the failover and have a tested failover plan that may include database log shipping to the disaster recovery site. However, they do not plan how they can get the current data back to the restored servers in the main or preferred site.

Questions to consider for failing back are as follows:

The answers really lie in the complexity of the failed-over environment. If the cutover is simple, there is no reason to wait to fail back.

When failover sites are too expensive and not an option, that does not mean that an organization cannot plan for site failures. Other lower-cost options are available but depend on how and where the employees do their work. For example, remote salespeople in Companyabc.com most likely have laptops with all the necessary applications they need installed locally. On the other hand, the accounting employees probably do not have laptops, and even if they did, they would need to access the accounting server to query the updated time entries and generate customer invoices.

The following are some ways to deal with these issues without renting or buying a separate failover site:

Common uses of hardware-based disk arrays for Windows servers include RAID 1 (mirroring) for the operating system and RAID 5 (striped sets with parity) for separate data volumes. Some deployments use a single RAID 5 array for the OS, and data volumes for RAID 0/1 (mirrored striped sets) have been used in more recent deployments.

RAID controllers provide a firmware-based array management interface, which can be accessed during system startup. This interface enables administrators to configure RAID controller options and manage disk arrays. This interface should be used to repair or reconfigure disk arrays if a problem or disk failure should occur.

Many controllers offer Windows-based applications that can be used to manage and create arrays. Of course, this requires that the operating system can be started to access the Windows-based RAID controller application. Follow manufacturer’s procedures on replacing a failed disk within hardware-based RAID arrays.

If a system disk failure is encountered, the system can be left in a completely failed state. To prevent this problem from occurring, the administrator should always try to create the system disk on a fault-tolerant disk array such as RAID 1 or RAID 5. If the system disk was mirrored (RAID 1) in a hardware-based array, the operating system will operate and boot normally because the disk and partition referenced in the boot.ini file will remain the same and will be accessible. If the RAID 1 array was created within the operating system using Disk Manager or diskpart.exe, the mirrored disk can be accessed upon bootup by choosing the second option in the boot.ini file during startup. If a disk failure occurs on a software-based RAID 1 array during regular operation, no system disruption should be encountered.

If Windows Server 2003 has been installed on the second or third partition of a disk drive, a separate boot and system partition will be created. Most manufacturers require that for a system to boot up from a volume other than the primary partition, the partition must be marked active prior to functioning. To satisfy this requirement without having to change the active partition, Windows Server 2003 always tries to load the boot files on the first or active partition during installation regardless of which partition or disk the system files will be loaded on. When this drive or volume fails, if the system volume is still intact, a boot disk can be used to boot into the OS and make the necessary modification after changing the drive. Refer to “Creating a Windows Server 2003 Boot Floppy” in Chapter 32 for details on how to create a boot disk.

A data volume is by far the simplest of all types of disks to recover. If an entire disk fails, simply replacing the disk, assigning the previously configured drive letter, and restoring the entire drive from backup will restore the data and permissions.

A few issues to watch out for include the following:

The Recovery Console provides an option for administrators to boot up a system using alternate configuration files to perform troubleshooting tasks. Using the Recovery Console, the bootup sequence can be changed, alternate boot options can be specified, volumes can be created or extended, and service startup options can be changed. The Recovery Console has only a limited number of commands that can be used, making it a simple console to learn. If Normal or Safe mode bootup options are not working, the administrator can use the Recovery Console to make system changes or read the information stored in the boot logging file using the type command. The boot logging file is located at C:Windows tbtlog.txt by default and exists only if someone tried to start the operating system using any of the Safe mode options or the boot logging option.

When a complete system failure occurs, whether it is because of a site outage, a hardware component failure, or a software corruption problem, the method of recovery depends on the major goal the administrator is trying to accomplish. The goal is to get the server up and running, of course, but behind the scenes many more questions should be answered before the restore is started:

Loading the Windows Server 2003 operating system and applications can be a relatively efficient operation. This ensures that all the correct files and drivers are loaded correctly, and all that needs to follow is a system state restore to recover the server configuration and restore the data. One of the problems that can occur is that, upon installation, some applications generate Registry keys based on the system’s computer name, which can change if a system state restore is performed. Other applications—for example, Exchange Server 2003—can be restored using a /disasterrecovery installation switch and do not need the server’s system state restore, just the original computer name and domain membership, as long as computer and user certificates are not being used.

The key to choosing whether to rebuild or restore from backup is understanding the dependencies of the applications and services to the operating system and having confidence in the server’s stability at the time of the previous backups. The worst situation is attempting a restore from backup that takes several hours, only to find that the problem has been restored as well.

When a complete server system failure is encountered and the state of the operating system or an application is in question, the operating system can be recovered manually. Locating the system’s original configuration settings is the first step. This information is normally stored in a server configuration document or wherever server configuration information is kept.

Because each system is different, as a general guideline for restoring a system manually, perform the following steps:

When an operating system fails and cannot be started, a restore of the entire server may be necessary. If system volumes and data volumes exist on the same disk, performing an Automated System Recovery (ASR) restore will wipe out the entire disk, and both the system and data will need to be restored. In many cases, an ASR restore is not necessary; recovering only the system volume and system state is necessary.

After this process is complete, restores of the applications and application data should proceed. To recover a system using a clean installation and a previously backed-up system state, follow these steps:

After all the updates are installed, restore the previously backed-up system state data; afterward, restore any additional application or user data.

When a system has failed and all other recovery options have been exhausted, an ASR restore can be performed, provided that an ASR backup has been previously performed. The ASR restore will restore all disk and volume configurations, including redefining volumes and formatting them. This means that the data stored on all volumes needs to be restored after the ASR restore is complete. This restore brings a failed system back to complete server operation, except for certain applications that may require special configurations after the restore. For example, the Remote Storage service data needs to be restored separately.

To perform an ASR restore, follow these steps:

When a Windows Server 2003 system is recovered using an ASR restore, the boot.ini file may not be restored. This file contains the options for booting into different operating systems on multiboot systems and booting into the Recovery Console if it was previously installed. To restore this file, simply restore it from backup to an alternate folder or drive. Delete the boot.ini file from the C: root folder and move the restored file from the alternate location to C: or whichever drive the boot.ini file previously was located on.

When a server running Certificate Services needs to be recovered, the Certificate server and database can normally be recovered using a system state restore. If the server was recovered using a clean installation with the same server name, the system must not join the domain at first. The system state must be restored to recover the computer account SID for the certificate server. If the CA server system state has not been backed up or cannot be restored properly, the CA may not be recoverable. When the CA service is recovered using a system state restore, the certificate database can be recovered if the correct version was not restored already.

To restore the Certification Authority if the database is corrupted or if an issued certificate is deleted by mistake, the administrator should restore the CA database. If the Certification Authority does not start or cannot issue certificates properly, the CA private key and CA certificate should be restored.

Only if the Certification Authority was previously backed up as outlined in Chapter 32 can the CA database be restored independently of a system state restore. The following sections assume that a previous backup was performed and saved to the c:CaBackup directory of the CA server.

If a previous backup of the Dynamic Host Configuration Protocol (DHCP) database was performed manually using the DHCP console or if the default 60-minute database backup is being used, the following steps will restore a DHCP database to the original DHCP or an alternate DHCP server. The DHCP restore will restore server options, scopes, and scope options, including reservations, address leases, and address pools. The DHCP data will be restored in its entirety. If only a single lost configuration needs to be restored—for example, a reservation—the DHCP data can be restored to an alternate server with the DHCP service installed. This server does not need to be authorized in the forest. When the DHCP data is restored, the reservation information can be recorded and manually recreated on the original DHCP server.

To restore DHCP data to the original or an alternate DHCP server, follow these steps:

When the Windows Internet Naming Service (WINS) needs to be recovered from a previous backup, it can be recovered only from a system state backup or using the last-saved WINS backup store in the %systemroot%system32WINSBackup folder. The default for WINS server backup is during system shutdown. If more frequent backups are necessary, perform the backup as outlined in the “Creating Regular Backup Procedures” section in Chapter 32.

To restore the WINS data, follow these steps:

Domain name system (DNS) zones can be created or restored using zone files created on Windows Server 2003 or from other DNS systems. Because dynamic Active Directory–integrated zones do not store a copy of the data in a backup file, these zones can be simply re-created and the servers and workstations will repopulate the data within. Entries manually entered in the Active Directory–integrated zones will need to be manually re-created. This is why multiple Active Directory DNS servers are desired to provide redundancy.

To restore standard primary zones from a backup file, simply create a new forward or reverse lookup zone but specify to create it using the existing backup file. Creating new zones on Windows 2003 DNS is covered in Chapter 9, “The Domain Name System.”

When data folders and/or files are corrupt, missing, or a previously backed-up copy is needed, the data can be restored using NTBackup.exe if a previous backup was performed using this utility. For example, if the Marketing folder was deleted from the D: drive of SERVER1, the following backup procedure could be used to restore the data:

The Volume Shadow Copy service can be used to restore missing files or restore previous versions of files only if shadow copies have been enabled on the volume. To enable shadow copies on a volume, refer to the installation steps outlined in the “Configuring Shadow Copies” section in Chapter 30, “File System Fault Tolerance.” To restore data using shadow copies, the volume containing the data in question needs to be accessed from a share point. For example, if Volume Shadow Copy is enabled on the D: drive of SERVER1, to restore data using a shadow copy, the administrator can open a connection to \SERVER1D$.

Restoring shadow copy data allows the administrator to restore the data to the original location, or it can be copied and restored elsewhere. As an example, the Marketing folder on the SERVER1 D: drive will be restored after it is deleted. When a user reports that the Marketing folder is missing from SERVER1, follow these steps:

Another popular method of protecting the file system from data loss is to leverage the Distributed File System (DFS) replication technology to mirror information to another server. DFS is a solution that needs to be set up and running before a failure because the data needs to be replicated before a failover or recovery can take place. So this will require preplanning and implementation before the solution can be used.

To use DFS, a file system volume that is wanted for replication is identified, and a replica is created on another server. If the primary server fails, DFS automatically redirects users to access the mirrored copy of the data on the replica server.

For more details on the implementation of DFS for file system replication, see the section, “Using the Distributed File System Replication,” in Chapter 30, “File System Fault Tolerance.”

IIS Web and FTP folders are stored in the c:InetPub directory. The default location for the IIS logs is the c:Windowssystem32LogFiles folder. To recover the IIS Web site, FTP site, or IIS logs, restore the files using either shadow copy data or a backup/restore tool such as Ntbackup.exe. For detailed information on this process, refer to “Recovering Data with Volume Shadow Copy” and “Recovering Data Using NTBackup.exe,” respectively.

The Active Directory database contains all the information stored in Active Directory. The global catalog information is also stored in this database. The actual filename is ntds.dit and is by default located in the c:WindowsNTDS directory. When a domain controller is restored from server failure, the Active Directory database is restored with the system state. If no special steps are taken when the server comes back online, it will ask any other domain controllers for a copy of the latest version of the Active Directory database. This situation is called a nonauthoritative restore of Active Directory.

When a change in Active Directory needs to be rolled back or if the entire database needs to be rolled back up across the enterprise or domain, an authoritative restore of the Active Directory database is necessary.

If a file has been previously migrated to remote storage media and has been replaced on a volume with a reparse or junction point, both the remote storage media and the reparse point are needed to access the migrated data. If a user inadvertently deletes the reparse point, the administrator needs to use standard file and folder recovery processes to restore it. If no backup of the reparse point is available, the migrated data must be accessed using alternate methods.

To recover this data, insert the correct Remote Storage media into the tape device. After the media is loaded, open the Removable Storage service and move the media from the Remote Storage media pool to the backup media pool as necessary. When that is accomplished, open Ntbackup.exe and catalog the media, locate the data, and restore the original file to the desired location. One of the problems is that the data is not saved in the same folder hierarchy as it was originally on the disk, so you will need the filename and version to recover the data.

To provide redundant domain and network services to be able to deliver five nines uptime, administrators can use Windows Server 2003 built-in services and clever designs to meet the particular type of failure or disaster they are planning for. For example, if an organization provides a Web-based Internet application, five nines can be achieved in a single location by deploying the application on a network load-balancing cluster of servers. To provide this same application across separate sites, the organization would need to establish a VPN across the sites so that a single DNS record could be used to access the server from either location.