It recently came to my attention that repadmin + showbackup had no google hitsWell I'd like to fix that.

First a little back story ... around I guess 2003 there had been a growing trend (of PSS whining, er I mean noticing that) customers are not taking any backups, and many customers didn't quite understand how application Naming Contexts (NCs) are not replicated to every Domain Controller (thus the old adage of "backup one DC from every domain" was stale) ... and so people would be missing critical data at restore time ... with restore time being like the 3rd worst time to be missing critical data, but the most likely time to call PSS, PSS asked if we could help, and we / AD dev (were drunk when they asked, had time on our hands, tired of feeling guilty about our in-box monitoring tools story, felt like "putting the feature back in service pack", maybe we were bored... whoa is this my outside voice?) happily said what can we do to help...

So to address this issue, for Win2k3 SP1 we hashed out adding the ability for DCs to log an event (Event ID 2089) if a Naming Context is not being backed up regularly within a certain latency.  The default latency is 1/2 the tombstone lifetime (too long IMNHO) ... oh and there is a reason this event won't be logged for an NC, but whatever ... this is not a post about that mechanism / event (more on it someday), besides we're not even sure most admins are capable of reading the event logs (is that too insulting ...where is the line?  I can never tell?) ...

OK, event logs are fine, but you want to know now!  When I added the 2089 event to AD, I added the /showbackup command to repadmin.  This basically can show when backups were taken of various writable NCs the DC hosts. (this block may make the post wide, probably mess stuff up, but anyway here is the output of the command):

C:\bin\rel\win2k3\sp1\x86fre>repadmin.exe /showbackup mycorp-dc-02

Loc.USN                          Originating DC   Org.USN  Org.Time/Date          Ver Attribute
=======                          =============== ========= =============          === =========
DC=DomainDnsZones,DC=MyCorp,DC=com
329205835     084f51ed-d53e-4bad-83db-28694870fdb9 127958011 2006-02-08 02:51:22  197 dSASignature
DC=ForestDnsZones,DC=MyCorp,DC=com
329258203     084f51ed-d53e-4bad-83db-28694870fdb9 127958010 2006-02-08 02:51:22  202 dSASignature
CN=Schema,CN=Configuration,DC=MyCorp,DC=com
330447680     e0cc9580-1546-4da9-af2b-0929c37a378a  68598018 2006-02-09 02:14:56  897 dSASignature
CN=Configuration,DC=MyCorp,DC=com
330447359     e0cc9580-1546-4da9-af2b-0929c37a378a  68598017 2006-02-09 02:14:56  898 dSASignature
DC=MyCorp,DC=com
329205750     084f51ed-d53e-4bad-83db-28694870fdb9 127958006 2006-02-08 02:51:20  205 dSASignature
DC=UnLovedOlderChild,DC=MyCorp,DC=com
DC=UnLovedYoungerChild,DC=MyCorp,DC=com
Obviously the green is showing you can basically see when the DomainDnsZones was last backup.  You can probably guess from this output how we are tracking the last backup too.  Note: This tracking can only be done if a DC you're taking backups on is upgraded to Win2k3 SP1.

And of course "repadmin /showbackup *" should work if you want to capture the last backup time across all NCs (which means hitting all DCs, thus the *).  Don't assume your backup software is smart enough to understand where the NCs are instantiated / replicated to.

It's funny (or embarressing, depending on who you are) 2 years after coding something, you review it, and immediately see everything you screwed up...
  • The above command should've resolved the Orig DC invocation IDs into DC names, so you could know where that backup was taken.  That's just fricken sloppy, sorry about that.  I really piss me off sometimes.
  • In retrospect it would have been better to add another partition test to dcdiag.  That would've been way sweeter, fails if over timestamp latency, and /v would print out how old the last backup is, and what DC it was taken on.
  • Would've been cool to add to ntdsutil the ability to control the backup latency event's sensitity on a per partition basis.  The feature has this ability today it is just not exposed, instead you've got to use a reg key (which I don't recommend).
  • This was actually from a corp DC, but I changed the names ... but it makes me wonder if that's right our child domains aren't being backed up, or there is a bug in the tool / mechanism?  Those are partial replicas though, it might not being working on partial replicas ... that's an excercise for the reader ... let me know.
So there you have it repadmin /showbackup, as any self respecting admin, I suggest you move "Try a test restore of our backups" to the bottom of your TODO list, and play with this repadmin command instead.  No, no don't worry the restore will just work if you need it, play with this instead.

Well, that is IMNHO only about 1/2 a post ... I didn't even get to the Backup FSMO role (some other time hopefully) ... but tis all I have time for now, sorry.

OK, they CAN NOT be serious, I only have a single sans-serif font to choose from!?  Oh, and that font (Arial) even has a sertif on lower case-t.  Verdana has serifs on upper case I, but it is mostly serifless.  Guh, I'm not sure I can actually live with blogging in this medium, alright Verdana it is, god I miss my Mac ...

Oh and if you're wondering it was Mr "Grillenmeier, Guido" that was the unintentional catalyst to my first post, not the more derisive elements of my life.

 Cheers,
BrettSh [msft]
Building #7 Garage Door Operator

P.S. - I still am not quite happy with my categories yet, and I still don't have my Orange theme back, (remorseful voice) it was a really good theme.  But at least I can complain now as I'm blogging^H^H^H^Hed.