Recovering from Disasters

In this document, a disaster is defined as having to restore Exchange Server and/or Windows 2000 Server. With Exchange 2000 the introduction of multiple storage groups and databases adds more complexity to restoring. But in addition to using Windows 2000 Backup to back up and restore, you can reinstall Exchange 2000 using the /DisasterRecovery option. This option allows you to run Setup in Disaster Recovery mode to rebuild a server previously lost in the Exchange topology.

Besides Disaster Recovery setup, there are other procedures needed for recovering servers. In Exchange 2000, servers take on different roles such as Key Management Server and SRS. In addition to these new server roles, the platform Exchange is running on also adds more steps. Recovering an Exchange 2000 cluster server requires more steps than recovering a single Exchange 2000 member server.

This section describes recovery requirements and steps in the following scenarios:

• Recovering Exchange 2000
• Recovering an Exchange 2000 member server
• Recovering an Exchange 2000 member server running SRS
• Recovering an Exchange 2000 member server running Key Management Service
• Recovering an Exchange 2000 Cluster service

Requirements for Recovering Exchange 2000

There are five common requirements for recovering all Exchange 2000 servers:

• Windows 2000 and Exchange 2000 installation CDs   This includes any applicable service packs or hot fixes as outlined in the Windows 2000 and Exchange 2000 release notes.
• Full backups of the system drive   This includes any other logical drives where critical application data is installed.
• Recent Windows 2000 system state backup   A system state backup is an important type of Windows 2000 backup. Windows 2000 Backup captures and saves system configuration information that a file system backup normally fails to back up. System configuration information, such as the Windows registry and IIS metabase data, is included in a system state backup.
• Backups of Exchange databases   These are online backups of the Web Storage System databases.
• A server object in Active Directory for the server you want to restore   If an Exchange 2000 server is damaged, it is important that the server object in Active Directory is intact. If the server object is deleted from Active Directory, using either Exchange System Manager snap-in or Active Directory Users and Computers snap-in, recovery cannot succeed. Following a disaster, you must avoid changing the server object until the actual server is recovered.

Important   These steps assume that your Exchange 2000 server is a member server in a domain and not the server that runs Active Directory.

If the Exchange 2000 server is also an Active Directory server be sure to include backups of Active Directory in the system state backup. For information about the requirements for restoring Active Directory on a domain controller, see the Windows 2000 Server Operations Guide.

Recovering an Exchange 2000 Member Server

If Active Directory runs on a separate domain controller in the domain and it is intact, proceed with the steps below. If Active Directory is running on the same computer as the Exchange 2000 member server, you must first restore Active Directory before restoring Exchange 2000. For more information about restoring Active Directory, see the Windows 2000 Server Operations Guide.

In addition to reinstalling Windows 2000 on the computer and restoring file system backups, it is recommended that you restore the Windows 2000 system state. When you complete a backup of the Windows 2000 system state, which includes the Windows registry and IIS metabase, the computer returns to the state it was in before the backup.

Reinstalling Windows 2000

You might need to reinstall Windows 2000.

To reinstall Windows 2000

1. Install Windows 2000 as a stand-alone server.
2. Install the same version of Windows 2000 that was previously installed. For example, Advanced Server or Data Center Server.
3. Install Windows 2000 to the same hard drive and paths to which it was previously installed. If you need to, configure the drives to match the previous logical drive configuration.
4. Use the same server name as the original server.
5. Select all of the same components installed on the original server.
6. Do not rejoin the domain. Leave the server in a workgroup so that after you install Windows 2000, you can restore the system state that places the server in the correct domain.

Important   After reinstalling the correct version of Windows 2000, reinstall any service packs or hot fixes that were previously installed.

Restoring the System Drive

You should restore full backups of the system drive or any other logical drives where critical application data was installed. Use Windows 2000 Backup to restore file system backups to the computer on which you restored Windows 2000.

Restoring Windows 2000 System State

When you restore the Windows 2000 system state, the restored computer returns to its original domain where its computer account matches the System ID (SID) in Active Directory. Use Windows 2000 Backup to restore the Windows 2000 system state. After the restore, Windows 2000 Backup prompts you for the computer you want to restart.

Important   After restoring the system state and restarting the server, you might see an error message indicating that one or more services cannot be started. This includes services such as SMTP that were running prior to restoring system state, and services that have not been installed yet. These services require that you install Exchange 2000. If the full file system restore does not include the Exchange 2000 installation directory or other critical program data, this error message occurs. These services start after Exchange 2000 installs in disaster recovery mode.

Following the restore of your system state, the event log might show that some Exchange 2000 services have failed. If these services are not installed yet, when you restore the system state, Windows 2000 accepts that these services are installed on your server. These services start after Exchange 2000 installs in disaster recovery mode.

Run Exchange Setup in Disaster Recovery Mode

When you run Setup.exe with the /DisasterRecovery option, Exchange 2000 restores executable files and system settings without disturbing the existing Active Directory information for the system. Setup in disaster recovery mode installs Exchange 2000 without resetting the server’s configuration to defaults, but instead, leaves the server in its last configuration.

To run Exchange Setup in disaster recovery mode

1. From your Exchange 2000 CD, run setup /DisasterRecovery.
2. In Exchange 2000 Setup Wizard, be sure every component originally installed on the computer is set to the Disaster Recovery option. If the originally installed components are not selected for Disaster Recovery, select them manually.

   Important   You must install Exchange 2000 to the same drive and directory on which it was installed on the original server.

3. During disaster recovery, a message informs you that you cannot restore Exchange 2000 unless Active Directory still contains a server object for the server being restored. Use Exchange System Manager to verify that the server object exists for the server you are restoring. If the server object does not exist, the recovery process does not succeed.
4. Near the end of the setup process in disaster recovery mode, you are prompted to restore databases and then restart. If setup finishes and another dialog box appears that prompts you to restart, ignore this message and restore the databases before you restart.

Recovering Databases

To recover databases in Web Storage System, you must verify that all services on which Exchange 2000 depends are running. To restore a database, you must also dismount the database. However, because Exchange supports multiple storage groups, you only need to dismount the specific database you want to restore. This allows users access to any other databases in Web Storage System.

To recover databases in Web Storage System

1. Use Windows 2000 Backup to restore your databases. In the Restoring Database Store dialog box, in Temporary location, specify a directory in which to store a log file that is different from the directory where the original log files exist. Make sure the location has enough disk space to store the files. If you restore databases or log files to their original location, any existing databases or log files are overwritten.
2. If you are restoring a full backup without any incremental backups, click Last restore set to start the log file after restoring the database. If you are restoring a backup with incremental backups, do not select this option until you restore the last incremental backup.
3. After you finish the restore, verify that the databases are mounted before you restart the system. The Exchange 2000 member server restores after you restart the system. Configuration settings that existed before the original server was damaged remain. The restored server can return to its previous role in the Exchange organization.

Recovering an Exchange 2000 Member Server Running Site Replication Service

Recovering an Exchange 2000 member server also running Site Replication Service (SRS) requires the same steps involved in recovering a single member server. However, there are additional steps to recover the SRS database after you run Disaster Recovery setup.

In addition to the requirements described in “Requirements for Recovering Exchange 2000” earlier in this chapter, back up the Exchange 2000 SRS database. Follow the same steps listed in “Recovering an Exchange 2000 Member Server” earlier in this chapter. Reinstall Windows 2000, restore the system drive backup, restore the Windows 2000 system state backup, run Exchange 2000 Setup in disaster recovery mode, and restore Exchange Web Storage System databases. However, prior to restarting the computer as described in the last steps listed in the “Recovering Databases” section of “Recovering an Exchange 2000 Member Server” earlier in this chapter, you must perform the steps listed below to recover the SRS database from backup. Recover the SRS database using Windows 2000 Backup, and then restart the server.

To enable and start SRS after disaster recovery

1. Using the Computer Management snap-in, under Services and Application, click Services.
2. Select Exchange Site Replication Service from the list of services, and then click Properties.
3. For the Exchange Site Replication Service, set the startup to automatic, and then start the service.

To reset the password for the Exchange 5.5 service account

1. Using the Exchange System Management snap-in, click Administrative Groups, and then select your site name.
2. Right-click the site name, and then click Modify. Clear the password and confirm password boxes. Re-type and confirm the password.
3. Click Apply.

Restoring an SRS Database

Using Windows 2000 Backup, follow the same steps listed in “Recovering an Exchange 2000 Member Server” earlier in this chapter. However, instead of selecting Exchange Information Stores with Ntbackup, select the SRS database to be restored.

When you restore the SRS database, you have completed the recovery of the Exchange 2000 member server running SRS. Before you restart the system, verify that you have performed all the steps described in “Recovering an Exchange 2000 Member Server” earlier in this chapter.

Recovering an Exchange 2000 Member Server Running Key Management Service

Recovering an Exchange 2000 member server also running Key Management Service requires the same steps involved in recovering a single member server. However, there are additional steps to recover the Certificate Authority (if Certificate Authority was running on the same server as Key Management Service) and Key Management Service database after you run Setup in disaster recovery mode.

In addition to the requirements described in “Requirements for Recovering Exchange 2000” earlier in this chapter, make sure you have the following backups:

• Backup of the Exchange 2000 Key Management Service database
• Backup of the system state, including Certificate Authority if the Key Management Service server also runs Certificate Authority

Follow the same steps listed in “Recovering an Exchange 2000 Member Server” earlier in this chapter. Reinstall Windows 2000, restore the system drive backup, restore the Windows 2000 system state backup, run Exchange 2000 Setup in disaster recovery mode, and then restore Exchange databases.

If the recovered server was also the Certificate Authority, in addition to being the Key Management Service; then by restoring the system state of the original server, Certificate Authority is also restored. Certificate Authority does not have to be checked as a component to install if you are restoring the system state.

Prior to restarting the computer as described in the last steps of “Recovering Databases” in the “Recovering an Exchange 2000 Member Server” section earlier in this chapter, perform these additional steps in recovering the Key Management Service database from backup. Then restore the Key Management Service database using Windows 2000 Backup and reboot the server.

To start Key Management Service following disaster recovery

1. Using the Computer Management snap-in, under Services and Application, click Services.
2. Select Exchange Key Management Service from the list of services, and then click Properties.
3. For the Key Management Service, type the Key Management password in Startup Parameters, and then select Start.

Restoring Key Management Service Database

Use Windows 2000 Backup to perform the steps as described in the “Recovering Databases” section in “Recovering an Exchange 2000 Member Server” earlier in this chapter. However, instead of selecting Exchange Information Stores with NTBackup, select the Key Management Service database you want to restore.

The Exchange 2000 member server running Key Management Service recovery is complete after you restore the Key Management Service database. Before you restart the system, verify that you completed the steps described in “Recovering an Exchange 2000 Member Server” earlier in this chapter.

Recovering an Exchange 2000 Cluster Server

Clustering provides a mechanism for moving resources between cluster nodes when a disaster occurs. In the case where a single node fails, clustering moves Exchange 2000 resources to another node in the cluster so that services remain available to users. The node that failed can be removed from the cluster and then later replaced with another node joining the cluster. Exchange resources can then be moved back to the newly joined node so that load balancing is again achieved. This section lists the steps involved in removing a non-functioning node from a cluster, rebuilding, and then rejoining the node to that cluster.

In addition to disasters involving the loss of a single node in a cluster, there are cases where the cluster-shared disk is lost. This section describes how to recover when the cluster quorum is lost.

Recovering a Single Server in a Cluster

Clustering provides recovery when a server node goes down in a cluster. When a single node in a cluster fails, Exchange resources running on the node are moved to an available node in the cluster. Exchange databases remain intact on shared storage and can be accessed by the Exchange virtual server from another node in the cluster. This provides reliability when disaster occurs on a single node in the cluster. Once resources are moved to an available node in the cluster, follow these procedures for removing the non-functioning node and replacing it with a new node.

Evicting the Lost Server Node from the Cluster

When one cluster node suffers a disaster and needs to be replaced by a new node, you must evict the lost node.

To evict the lost server node from the cluster

1. Use Cluster Administrator to remove the lost node from the cluster.
2. Use Cluster Administrator to verify that the evicted node for each cluster group and resource does not appear as a possible or preferred owner.
3. Physically remove the damaged node from the cluster and shared storage.

Building a New Server Node for the Cluster

The lost node does not have to be rebuilt like the original lost node. An entirely new node can be built (new computer name, new IP) and then joined to the cluster. Perform the following steps to build a new server node.

To build a new server node for the cluster

1. Install Windows 2000 on the new computer and provide a new computer name.
2. Join the same domain as before with same administrative permissions given to the Exchange Administrator account.
3. Set up the new computer to access the same shared storage as the original node.

Rejoining the Server Node to the Cluster

To rejoin the server node to the cluster, set up Cluster service on the newly built server. When asked to join a cluster, specify the cluster you want to join.

Installing Exchange on the Server Node and Moving Resources Back to the Node

You might need to install Exchange on the server node and move resources back to the node.

To install Exchange on the server node and move resources back to the node

1. Install Exchange 2000 on the newly joined node. You must do this before Exchange resources can be moved back to the newly joined node.
2. Verify that the cluster groups and resources on the other node show that the new node is a possible or preferred owner.
3. Move the Exchange resources that originally failed back to the new node.

Recovering a Lost Cluster Quorum

In order to recover from a cluster quorum failure, you must perform a cluster quorum backup. In addition to the requirements described in “Requirements for Recovering Exchange 2000” earlier in this chapter, you must also have a system state backup containing the cluster quorum.

Typically you need to recover a single lost node in a cluster. However, you might have a case where the cluster quorum is lost on the shared disk along with the Exchange databases. If this occurs, you must restore the cluster quorum from backup.

Restoring the Cluster Quorum From Backup

Before you can restart Cluster service on any nodes in the cluster, you must restore the quorum.

To restore the quorum from backup

1. Use the Windows 2000 Server Resource Kit Dumpconfig utility to restore the signature of the quorum disk if it has changed since you made the backup.
2. If the Cluster service is running, stop the Cluster service on all cluster nodes.
3. Restore the system state (containing the contents of the cluster quorum disk) using Windows 2000 Backup. Windows 2000 Backup puts the contents of the cluster quorum disk in subdirectory systemroot\cluster\cluster_backup.
4. After restoring, you are prompted to restart. Instead of restarting, run Clusrest.exe tool to restore the content of the systemroot\cluster\cluster_backup directory to the cluster quorum disk. The Clusrest.exe tool is included in the Windows 2000 Server Resource Kit.
5. Restart the computer.

Restoring Exchange 2000 Databases from Backup

After you restore the quorum and restart the nodes in the cluster, verify whether the shared disk resource can be accessed after the Cluster service has started. If the shared disk where Exchange databases reside can be accessed and has survived the disaster, check to see if the .edb, .stm, and .log files still exist for the Exchange virtual server storage groups. If they are intact, start your Exchange resources. If the shared drive is lost, restore your Exchange databases from backup.

To restore Exchange 2000 databases from backup

1. Start Exchange System Manager, and then select the Do not mount at startup check box for databases owned by the Exchange virtual servers on the cluster. This avoids creating new databases on the shared disk resource when the Exchange resources start.
2. Using Windows 2000 Backup, perform the steps as described in the “Recovering Databases” section in “Recovering an Exchange 2000 Member Server” earlier in this chapter.

   Note   On a cluster server, you must verify that the shares where Exchange databases reside are available to and accessible by the cluster node that owns the disk resource.

3. Use Exchange System Manager to verify that databases are mounted and check the Event log. Click to clear the Do not mount at startup check box for each database that is successfully restored.

Source: Exchange 2000 Resource Kit