Backing up Domain Controller: Best practices for AD protection (Part 1)

Read the full series:

Ch.1 — Backing up Domain Controller
Ch.2 — How to recover a Domain Controller
Ch.3 — Reanimating Active Directory tombstone objects
Ch.4 — Leveraging Active Directory Recycle Bin

 


 Microsoft Active Directory is a standard in corporate environments where authentication and central user-management are required. It’s almost impossible to imagine how system administrators would be able to do their jobs effectively if this technology didn’t exist. Not only is Active Directory a great power, but it’s also a great responsibility — and it requires spending a lot of time with it in order to maximize its capabilities.

The purpose of this series is intended to aid you with the successful backup and recovery of Active Directory Domain Services with Veeam, giving you all the keys to painless AD protection. Before reading this, you might want to take a look at the Best practices for AD administration series we posted a while ago.

The actual series is going to discuss how Veeam can protect Active Directory data — preserve Domain Controllers (DCs) or individual AD objects and recover either of them when required.

Today, I’m going to talk about the backup options Veeam offers for both physical and virtualized Domain Controllers, and backup considerations to keep in mind while you do that.

Backup Domain Controller considerations

As Active Directory Domain Services designed with a sort of redundancy, so the common backup rules and tactics can be mitigated and adapted to this level. It wouldn’t be right to apply the same backup policy you have for SQL or Exchange server here. Below are some considerations I believe might be helpful for creating your own Active Directory policies:

How to back up a virtual Domain Controller

Microsoft’s Active Directory Services organize and keep information about individual objects within the forest and store it to a relational database (ntds.dit), hosted by a domain controller. Backup of a Domain Controller has previously been a tiresome process, involving backing up the server’s system state. It’s a well-known fact, that Active Directory services don’t consume a lot of resources of the system, so Domain Controllers are appearing to be the first servers that are always virtualized in the environment. If you happen to share the old belief of “physical DCs only”, please refer to this post.

Once virtualized, they are pretty easy to be managed by a domain/system administrator and can be easily backed up with Veeam Backup & Replication. As for details, you should have Veeam Backup & Replication installed and configured. The system requirements (of version 9.0) are as following:

Virtual platform: VMware vSphere 4.1 and newer; Microsoft Hyper-V 2008 R2 SP1 and newer

Veeam server: Windows Server 2008 SP2 and newer; Windows 7 SP1 and newer, 64-bit OS

Domain controller virtual machine (VM): Windows Server 2003 SP1 and newer, the minimum supported forest functional level of Windows 2003

Permissions: Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.

This article doesn’t intend to cover a process of Veeam Backup & Replication installation and configuration, as it’s already been defined a few times. But, if you need help with that, please refer to the following video recorded by a Veeam system engineer.

I’m going to assume that you have everything running fine. Now you’d like to configure a backup task for your virtual Domain Controller. The process of configuration is rather simple (see figure 1 below):

  1. Launch a Backup Job creation wizard
  2. Add a desired Domain Controller to the task
  3. Specify the retention policyfor the backup chain
  4. Make sure you enable application-aware image processing (AAIP) to ensure transactional consistency of OS and applications running on the VM, including the Active Directory database and SYSVOL catalog
NOTE:
AAIP is a Veeam technology that allows software to backup VMs in an application-aware way. This involves detecting applications of a guest OS system and collecting their metadata, quiescing them using corresponding Microsoft VSS writers, preparing application-specific VSS restore procedure to take place upon first boot up of the restored VM, and truncating application’s transaction logs if the backup task is successful. Please refer to the AAIP documentation for details.

Not enabling AAIP will not trigger Domain Controller guest OS to realize it was backed up and protected. So, a while later, you might notice an internal warning in server logs — event 2089, stating that there was no backup for “backup latency interval” days.

Figure 1. Edit Backup Job: Guest processing 
  1. Schedule a job or run it manually
  2. Ensure the job completed successfully with no errors or warnings
Figure 2. Performing incremental backup of a DC 
  1. Find the newly created backup file in the backup repository — that’s it!

Additionally, you can store a backup in the cloud with Veeam Cloud Connect (VCC) service provider or another backup repository using Veeam Backup Copy jobs or archive it to tape with Backup to Tape job. The most important thing is that backup is now safe and can be restored as soon as you need it.

How to back up a physical Domain Controller

Frankly speaking, I hope that you’ve been updating AD services in your company and that your Domain Controllers have been virtualized for a long time. If not, I hope that you’ve at least been updating your Domain Controllers, and that they’re running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer. (If managing older systems, skip the below and go to the third article right away)

So, you have a physical Domain Controller — or a set of them — running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore — while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.

In order to back up your physical Domain Controller with this tool you should:

Figure 3. Selecting objects to backup in Veeam Endpoint Backup 
NOTE:
If you have Veeam Backup & Replication instance in your infrastructure and you’d like to use a configured Veeam Backup Repository to accept endpoint backups, please reconfigure it right from Veeam Backup & Replication (Ctrl-right click on a desired repository, allow access to the repository and enable backups encryption if needed, see Figure 4).
Figure 4. Setting Endpoint Backup Permission for backup repository
Figure 5. Veeam Endpoint Backup FREE: Backup job statistics
Figure 6. Incremental backup chain
NOTE:
If you configured a Veeam Backup & Replication repository as a target for DC backup, to find the newly created backup in the Backups > Disk node, placed to Endpoint Backups node.
Figure 7. Veeam Backup & Replication: Backups-disk 

Conclusion

Is Domain Controller backup that simple? Yes and no. Successful backup is great for starters, but that’s not all you need. Like we say at Veeam, “Backup is not worth a penny if you can’t restore from it.”

The following articles in this series are dedicated to different Active Directory recovery scenarios, including the restore of a particular Domain Controller, as well as the recovery of individual deleted and changed objects using native Microsoft utilities and Veeam Explorer for Active Directory.


See also

Exit mobile version