TSM backup and restore of NTUSER.DAT in a Windows 2000 and Windows XP environment

Answer

This information is valid for the Tivoli Storage Manager for Windows Backup-Archive Client in a Windows 2000 or Windows XP environment. It does not pertain to Windows ME, Windows NT 4.0, or Windows .Net Server 2003.

Update: If you are using the Tivoli Storage Manager for Windows Backup-Archive Client Version 5.3.2 or later and are running in a 32-bit environment, you can use the Open File Support (OFS) feature to backup the NTUSER.DAT and USRCLASS.DAT files. If you use the Open File Support feature these files will be processed during regular Tivoli Storage Manager backups and you do not need to use the procedures listed in this article. This article still applies for 64-bit environments.

What are NTUSER.DAT and USRCLASS.DAT files?

NTUSER.DAT and USRCLASS.DAT are used to store user-specific customization information, e.g., desktop settings, shortcut keys. Most user-specific information is stored in NTUSER.DAT; USRCLASS.DAT is used to store the user-specific COM Classes portion of the user profile. It is beyond the scope of this document to describe exactly which applications use which of these two files to store customization information. For the intent of this document, it is suffice to say that these two files are critical in the restoration of user-specific customization information on the system.

How are the NTUSER.DAT and USRCLASS.DAT files processed during backup?

If the user is currently logged onto the system, the information in these two files are loaded into the HKEY_USERS registry hive and effectively locked for read or write access on the file system.

During a full system backup, i.e., the system drive and SYSTEM OBJECTS, this information will be processed by Tivoli Storage Manager in one or two ways:

· If the user is not currently logged in the system, then the information in NTUSER.DAT and USRCLASS.DAT will be processed as part of the system drive incremental backup, e.g., the backup of the C: drive
· If the user is currently logged in the system, the system drive processing will not backup these files because they will be opened exclusively by the system (error message:
ANS4987E Error processing '\\florence\c$\Documents and Settings\Administrator\NTUSER.DAT': the object is in use by another process), but these files will be processed with the backup of the registry. These ANS4987E messages can be ignored.

What are the recommendations for exclusion of NTUSER.DAT and USRCLASS.DAT and supporting files?

The NTUSER.DAT and USRCLASS.DAT files can be excluded if you do not wish to backup/restore the user-specific customization information. This may be desirable on server machines where little customization is used or in environments where standard operating system images are deployed and there is little additional customization.

The NTUSER.DAT and USRCLASS.DAT files should not be excluded if you wish to backup/restore the user-specific customization information correctly. (This is the default behavior of the Tivoli Storage Manager Backup-Archive client). Note that when these files are not excluded, the ANS4987E error messages (see above) are expected if the user is logged in the system during the backup.

The .log files (i.e., NTUSER.DAT.LOG and USRCLASS.DAT.LOG) can always be excluded. They are not needed for restoration of the user-specific customization information.

What happens during restore?

There is one special caveat to restoring registry hives which do not currently exist on the system:

An application cannot create a key that is a direct child of HKEY_USERS or HKEY_LOCAL_MACHINE

Essentially, applications like Tivoli Storage Manager are only allowed to replace existing keys which are direct children of these two keys. For example, Tivoli Storage Manager is not at liberty to create the HKEY_LOCAL_MACHINE\System key during a restore operation, but it is allowed to replace the existing System hive. Therefore, when restoring the HKEY_USERS keys, only the users that are currently logged in during the restore process will have there user-specific customization (i.e., NTUSER.DAT and USRCLASS.DAT in the registry) replaced. Let’s look at an example:

During a Tivoli Storage Manager backup operation at time b0, USER-A, USER-B and Administrator are logged in the Windows server. USER-C is not logged in the Windows server. While processing the system drive, Tivoli Storage Manager will try to backup the NTUSER.DAT and USRCLASS.DAT files for all users, including the Administrator. Since USER-A, USER-B and the Administrator are currently logged in, the NTUSER.DAT and USRCLASS.DAT files will not be processed since they are in use by the system. These files will be processed for USER-C since USER-C is currently not logged in. When the Tivoli Storage Manager process the registry for backup, the NTUSER.DAT and USRCLASS.DAT information for USER-A, USER-B and Administrator will be processed from the user keys in the HKEY_USERS hive.

At a subsequent time, b1, USER-A, USER-C and Administrator are logged in the Windows server. This time the Tivoli Storage Manager will successfully backup the NTUSER.DAT and USERCLASS.DAT files for USER-B (not logged in) and process the USER-A, USER-C and Administrator information during the registry backup.

The login information is summarized in the table below:

time	USER-A	USER-B	USER-C	Administrator
b0	P	P		P
b1	P		P	P
r0				P

During a disaster recovery at time r0, the Administrator re-creates the OS on the Windows server and initiates a restore from Tivoli Storage Manager. While restoring the system drive, the NTUSER.DAT and USRCLASS.DAT files are restored for both USER-B and USER-C (even though USER-C did not make a backup during the last backup window, there is still and active copy of these files on the Tivoli Storage Manager server). Next, the registry is restored. During the restore of the active registry files, the HKEY_USERS keys for USER-A, USER-C and Administrator will be processed. Since only the Administrator is logged in, only the HKEY_USERS hives for the Administrator will be replaced on the system after reboot.

After the restore is complete, the individual user situations will be as follows:

· USER-A will not have any user-specific customization information since the NTUSER.DAT and USRCLASS.DAT information was not restored from the registry. USER-A will use the system default profiles.
· USER-B will have the correct NTUSER.DAT and USRCLASS.DAT files from the last backup.
· USER-C will have NTUSER.DAT and USRCLASS.DAT information. This information is not from the latest backup but from the backup prior.
· Administrator will have the correct user-specific customization information restored from the registry.

USER-A	USER-B	USER-C	Administrator
none	b1	b0	b1

So, how do I restore the USER-A and the latest USER-C user-specific customization information?

Unless these users are logged-in during the registry restore, it will be no use to try to re-restore the registry files. The simplest way to accomplish the restore of this information is to manually restore the NTUSER.DAT and USRCLASS.DAT files. The registry files that could not be activated from the restore will still be in the staging directory, \adsm.sys, on the system drive. If you look at the contents of the directory, you can find the NTUSER.DAT and USRCLASS.DAT files for the USER-A and USER-C (these are examples of the files for USER-A):

C:\adsm.sys\W2KReg\REGISTRY\USER\S-1-5-21-1757981266-1085031214-682003330-500\Device\HarddiskVolume1\Documents and Settings\USER-A\NTUSER.DAT

C:\adsm.sys\W2KReg\REGISTRY\USER\S-1-5-21-1757981266-1085031214-682003330-500_Classes\Device\HarddiskVolume1\Documents an d Settings\USER-A\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT

Simply copy these files over the current files in USER-A’s “Documents and Settings” folder. (Note that USER-A cannot be logged into the server at this time otherwise the files will locked and you will not be able to complete the copy operation)