Read the full series:
|Ch.1 — Backing up Domain Controller
Ch.2 — How to recover a Domain Controller
Ch.3 — Reanimating Active Directory tombstone objects
Ch.4 — Leveraging Active Directory Recycle Bin
Continuing my previous posts about Active Directory (AD) management and restore with Veeam products, I would like to talk a bit more about relatively recent enhancements we brought into this process. Today, I’ll focus this article on the newest recovery features of Veeam Explorer for Microsoft Active Directory, released with Veeam Backup & Replication versions v9 and 9.5. Warning: Each new version of Veeam Backup & Replication comes with updated Veeam Explorer for Microsoft Active Directory, so it’s important to be aware of software versioning in order to know the scope of possible operations. Additionally, it’s generally a good idea to keep your Veeam infrastructure (and operating systems of VMs) at supported and recent versions.
As I mentioned before, we introduced Veeam Explorer for Microsoft Active Directory — a very helpful utility when it comes to AD objects recovery — as a part of Veeam Backup & Replication v8. Its initial functionality was intended to solve the most frequent cases administrators have with Active Directory: Granular objects and containers recovery (ok, password recovery also was included, as well as AD data export in LDIFDE format). All of that made a lot of people happy, but, as always, they wanted more. The community gave us great feedback, asking for additional features for less frequent cases or specific scenarios. We found out that, besides the most frequent operations like adding and removing users/computers to the domain, sometimes they had to deal with more advanced restore operations related to Group Policy Objects (GPO), DNS-integrated records and so on. That said, we worked hard and added some new functionality to provide administrators with such options.
Starting from Veeam Backup & Replication v9, you can restore Group Policy Objects, and the process is very easy.
Note: Group Policy is a Windows Server feature (since Windows Server 2000) that allows an administrator to centrally manage the working environment of users and computers, allowing common policies to be configured from one place and then distributed at ease, while also controlling what users/computers can or cannot do.
In order to restore GPO, you have to make sure you are running the appropriate Veeam Backup & Replication version and that you have already taken a valid backup file of your Domain Controller (DC). The actual recovery procedure is very similar to one I described before:
- Administrator starts application-item restore for Microsoft Active Directory from the main ribbon or via the backups hive
- Then, the administrator selects an appropriate backup point with a known valid state
- Veeam Backup & Replication mounts that restore point to the backup server, extracting the Active Directory database and SYSVOL catalog, and automatically opens them in Veeam Explorer for Microsoft Active Directory
- If all prerequisites are met, the administrator should be able to find the Group Policy Objects container right below the Users and Computers container
- Then, the administrator finds a desired GPO manually or by using the search, and performs either the restore or export procedure (figure 1)
Hint: As an option, the administrator can compare GPO attributes with the production state and see what exactly was changed (figure 2).
Additional improvements to Veeam Explorer for Microsoft Active Directory
Besides that, in the same version 9, Veeam Explorer for Microsoft Active Directory added support for the recovery of:
- Active Directory-integrated DNS records (DNS integrated into Active Directory and replicated as a part of Domain Services replication)
- Objects in Active Directory configuration partition (Native AD partitions containing forest-wide information about existing domains and sites available services, which come per forest and are replicated to all Domain Controllers)
This is a huge step forward for experienced administrators who know what they’re doing. There is just one small trick you need to know to find this functionality: Within the restore operation, hit advanced features button in the main ribbon to be able to see integrated DNS and configuration partition containers, which are normally hidden by default (figure 3).
With version 9.5, Veeam Explorer for Microsoft Active Directory got something new as well. Since the general release was aligned to the release of Windows Server 2016, we spent a great deal of time making sure you have support for all of the new Active Directory version forests that run in the Windows Server 2016 functional level, as well as other enhancements. Now, using Veeam Backup & Replication 9.5, you can restore the following AD items (in addition to those previously mentioned):
- Objects from forests running in the 2016 functional level and using Windows Server 2016 Directory Services for Active Directory (including user and computer account password restore)
- Expiring links (export to LDF file, not available with LDIFDE utility, is included)
That is, obviously, great for new installations that are running all DC on Windows Server 2016 or Azure mixed domains. And the coolest part is that all of the above is working right out of the box, and you don’t even need to do anything extraordinary.
In conclusion, I can assure you that we were listening to your feedback while developing Veeam Explorer for Microsoft Active Directory, as well as our other products. Write comments below or, even better, vote up the most wanted new feature you’re currently missing on Veeam forums, so we’re able to adjust our program development and provide you with new functionality in future software releases.
Have a great time managing your Active Directory better with Veeam!