Read the full series:
Microsoft Active Directory is a standard in corporate environments where authentication and central user-management are required. It’s almost impossible to imagine how system administrators would be able to do their jobs effectively if this technology didn’t exist. Not only is Active Directory a great power, but it's also a great responsibility — and it requires spending a lot of time with it in order to maximize its capabilities.
The purpose of this series is intended to aid you with the successful backup and recovery of Active Directory Domain Services with Veeam, giving you all the keys to painless AD protection. Before reading this, you might want to take a look at the Best practices for AD administration series we posted a while ago.
The actual series is going to discuss how Veeam can protect Active Directory data — preserve Domain Controllers (DCs) or individual AD objects and recover either of them when required.
Today, I’m going to talk about the backup options Veeam offers for both physical and virtualized Domain Controllers, and backup considerations to keep in mind while you do that.
Backup Domain Controller considerations
As Active Directory Domain Services designed with a sort of redundancy, so the common backup rules and tactics can be mitigated and adapted to this level. It wouldn’t be right to apply the same backup policy you have for SQL or Exchange server here. Below are some considerations I believe might be helpful for creating your own Active Directory policies:
- Learn what domain controllers hold Flexible Single Master Operations (FSMO) roles in your environment. Hint: a simple command to check this via command line: >netdom query fsmo
When performing a full domain recovery, you might want to start from the DC with most FSMO roles, usually one with PDC emulator role. Otherwise, you will have to transfer roles manually after the restore with ntdsutil seize command. Be aware of that, when planning backup and prioritize Domain Controllers accordingly. Refer to Active Directory basics white paper to learn more about FSMO roles.
- If you have multiple Domain Controllers for the site and you’re looking for individual objects protection, there’s no need to backup all DCs, as for item-level recovery, one copy of Active Directory database (ntds.dit) would be sufficient
- There are things that can always mitigate the risk of accidental/intentional deletion/change of AD objects. Consider administration operations’ delegation, setting up the restricted access to elevated groups and maintaining a “lag” site
- It’s usually recommended to perform backup of one Domain Controller per time, not to interfere with DFS Replication — even if the modern backup applications (ex. Veeam Backup & Replication v7 with Patch 3 and onwards) know how to deal with this
- If you have a VMware virtual environment and it is not possible to connect to your Domain Controller over the network, as for example, it can be in DMZ. In this case Veeam will fail over to the VIX and should be able to process your DC.
How to backup a virtual Domain Controller
Microsoft's Active Directory Services organize and keep information about individual objects within the forest and store it to a relational database (ntds.dit), hosted by a domain controller. Backup of a Domain Controller has previously been a tiresome process, involving backing up the server’s system state. It’s a well-known fact, that Active Directory services don’t consume a lot of resources of the system, so Domain Controllers are appearing to be the first servers that are always virtualized in the environment. If you happen to share the old belief of “physical DCs only”, please refer to
Once virtualized, they are pretty easy to be managed by a domain/system administrator and can be easily backed up with Veeam Backup & Replication. As for details, you should have Veeam Backup & Replication installed and configured. The system requirements (of version 9.0) are as following:
Virtual platform: VMware vSphere 4.1 and newer; Microsoft Hyper-V 2008 R2 SP1 and newer
Veeam server: Windows Server 2008 SP2 and newer; Windows 7 SP1 and newer, 64-bit OS
Domain controller virtual machine (VM): Windows Server 2003 SP1 and newer, the minimum supported forest functional level of Windows 2003
Permissions: Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.
This article doesn't intend to cover a process of Veeam Backup & Replication installation and configuration, as it’s already been defined a few times. But, if you need help with that, please refer to the following
I’m going to assume that you have everything running fine. Now you’d like to configure a backup task for your virtual Domain Controller. The process of configuration is rather simple (see figure 1 below):
1. Launch a Backup Job creation wizard
2. Add a desired Domain Controller to the task
3. Specify the retention policy for the backup chain
4. Make sure you enable application-aware image processing (AAIP) to ensure transactional consistency of OS and applications running on the VM, including the Active Directory database and SYSVOL catalog
Note: AAIP is a Veeam technology that allows software to backup VMs in an application-aware way. This involves detecting applications of a guest OS system and collecting their metadata, quiescing them using corresponding Microsoft VSS writers, preparing application-specific VSS restore procedure to take place upon first boot up of the restored VM, and truncating application’s transaction logs if the backup task is successful. Please refer to the AAIP documentation for details.
Not enabling AAIP will not trigger Domain Controller guest OS to realize it was backed up and protected. So, a while later, you might notice an internal warning in server logs — event 2089, stating that there was no backup for “backup latency interval” days.
5. Schedule a job or run it manually
6. Ensure the job completed successfully with no errors or warnings
7. Find the newly created backup file in the backup repository — that’s it!
Additionally, you can store a backup in the cloud with Veeam Cloud Connect (VCC) service provider or another backup repository using Veeam Backup Copy jobs or archive it to tape with Backup to Tape job. The most important thing is that backup is now safe and can be restored as soon as you need it.
How to back up a physical Domain Controller
Frankly speaking, I hope that you’ve been updating AD services in your company and that your Domain Controllers have been virtualized for a long time. If not, I hope that you’ve at least been updating your Domain Controllers, and that they’re running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer. (If managing older systems, skip the below and go to the third article right away)
So, you have a physical Domain Controller — or a set of them — running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore — while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.
In order to back up your physical Domain Controller with this tool you should:
- Download Veeam Endpoint Backup FREE from this page and copy it to your DC
- Launch the installation wizard, accept the license agreement and install the program
Note: read these instructions for installing in Unattended Mode.
- Configure a backup job by selecting appropriate backup mode. Backing up the entire computer is the simplest and recommended approach. When using file-level backup mode, be sure to select Operating system as an object to backup (see Figure 3). This ensures that the program captures all files required for bare-metal restore, Active Directory database and SYSVOL catalog will be also saved. Refer to a product user guide for details
Note: If you have Veeam Backup & Replication instance in your infrastructure and you’d like to use a configured Veeam Backup Repository to accept endpoint backups, please reconfigure it right from Veeam Backup & Replication (Ctrl-right click on a desired repository, allow access to the repository and enable backups encryption if needed, see Figure 4).
- Run the backup, and make sure it’s done with no errors
- Voila! The backup is done, and your Domain Controller is protected from now on. Go to the backup destination and find the backup or the backup chain
Note. If you configured a Veeam Backup & Replication repository as a target for DC backup, to find the newly created backup in the Backups > Disk node, placed to Endpoint Backups node.
Is Domain Controller backup that simple? Yes and no. Successful backup is great for starters, but that’s not all you need. Like we say at Veeam, “Backup is not worth a penny if you can’t restore from it.”
The following articles in this series are dedicated to different Active Directory recovery scenarios, including the restore of a particular Domain Controller, as well as the recovery of individual deleted and changed objects using native Microsoft utilities and Veeam Explorer for Active Directory.
- White paper Granular Recovery of Active Directory Objects
- Veeam Community Forums: Backing up Domain Controller in another AD domain issue