Active Directory: Best Practices for Administration and Backup

Speaker: , Andrey Zhelezko
Published : March, 2020
Active Directory: Best Practices for Administration and Backup

View slides

Rating: 4 / 5 (117 votes cast)

Active Directory is the basis for every Microsoft-oriented networking environment. However, it’s not always a solid basis.

With thousands of network environments under their belts, Sander Berkouwer (Microsoft MVP) and Andrey Zhelezko know their Active Directory.

This webinar shares their experiences, so you can benefit from their best practices, including:

  • Rolling out fine-grained password and account lockout policies
  • Implementing LAPS
  • Leveraging the Protected Users group
  • Cleaning up stale objects
  • Using the Active Directory Recycle Bin
  • Putting Veeam Backup & Replication to good use

 Following their best practices results in better sleep, knowing your Active Directory is more secure and resilient than ever.

You’ll know about the nitty gritty details of the new security features in the past years for AD and the exact line where the Active Directory Recycle Bin stops and Veeam provides better backups and restores.

Video Transcript


Hello and welcome everyone. I really hope that you can hear me and yeah, you've all kind of, you are in a good mood and came here to learn something about Active Directory, best practices for all appeal or administrating it. Probably protecting, I'm the guy on the right, my name is Andrey. I'm a technical analyst for Veeam® product strategy. And today I'm here with the rock star of Active Directory, Sander. Would you like to say a couple of words about yourself?


A couple of words about myself?




I just said it. Oh wow. Yeah, no, no, no, no. I don't feel like I'm a rock star myself. I just do a lot with Active Directory in Azure Active Directory and I see a lot of environments where Active Directory admins make their lives harder themselves. And I'm like, why would you do such a thing? So yeah, when you approached me and said, you know what, let's do a webinar on best practices for managing Active Directory and backing up. And of course restoring active directory. Yes, of course. Yes. Let's do this. Alright


Then that's, that's us. We're going to train you for the next 45- 40 probably an hour. We'll see about that and a couple of kind of on them rules before we actually get started. A couple of things so you're automatically muted. If you have any questions, please do not hesitate to reach us out. There’s a chat window, you can just click there and you can ask us any questions. So we'll have a couple of stops in between. We'll try to answer them or we have a dedicated time at the end of the session to actually to talk to you about and yes, we're going to share the recording of the session. We're going to share the slides because this is something that people are usually asking about. And besides of that, there is another thing that we have a poll we were thinking about entertaining you guys and then I'm going to just go to polls and going to launch it right now. So, the thing is that we really wanted to ask you about the, your experience with the Active Directory and to your current environment right now. So, what's your poorest functional level at the moment? There are a couple of answers you can select and meanwhile we're, well once we have enough data I'm going to share it but then just take, I dunno like 10 seconds and answer it and then we're going to collect and present it right away with that in mind of course.


And panelists, and panelists can’t vote unfortunately. So, if anyone would be so kind to select the, I just reverted back to a Windows server 2008 or two forest functional level. Actually for me that would be great fun. Thank you very much.



Yeah, we have 56- 56% 57% of people it. That's actually awesome and while you're doing that, I'm just going to click next and present the agenda that is going to happen for the next hour. So. I'm going to hand it over to Sander and he will talk a lot about the, um kind of things that are usually considered to be best practices for the Active Directory and things including the protecting the explain passwords or protected users’ group and using the, um Active Directory recycle bin. And they'll that he has a lot of information. So just brace yourself and then we're going to actually switch back to me, to myself and to kind of take a look at the view and VBA, couple of application and the agent and how they are going to actually to help you with your day to day duties related to Active Directory. And like I said before, by the end of the session, we're planning to do them Q&A rounds.

Poll results


 Yeah. So let's look at the poll results. Easy. Let's see what they've got.


I'm like, do I have to, yeah, I can share the results right now. But then essentially, oh, that's really interesting. Yep. So, what we'll do is think about those 99% of people who voted for Windows server 2019.


I think. I think that's ambitious. Yes. Especially since there is no Windows server 2019 the main functional level four is 22 level. But of course nothing but the latest and greatest for organizations. But yeah, so, so it's, it's good to see that most people are in 2012 2012 or two or 2016 and of course if you're still on 2003, 2008 or 2002 let's up that level. Let's raise that level two wards, something that you might actually need for some of the functionality that we are going to talk about. And as you already pointed out, this is our agenda for today. We've, we've got some information for you that will make your life as an Active Directory administrator easy. And of course, I'll show you what the, the good things are about the Active Directory recycle bin. And Andrey will actually expand on that and tell you, well, you know what sounds great, but here's Veeam backup and replication and we can actually do more.

And, of course, we'll end up with questions and answers. So go to webinar, has questions built in where we've got answers built in. And if you ask us some questions, we'll try and answer them. Well, let's get started. And oh, I ask easy to give me some, oh, I'm going through. Yeah. And then go ahead. Then I can click, I guess I can. And here we go because I'm going to start with protecting and well we would want to have automatically expiring passwords, but we, I think we are mostly condemned to expiring passwords ourselves if we don't take advantage of most of the other things. And this is, this is something that is close to my heart because I see loads and loads of organizations that have user accounts, have surfs accounts, have a curved TGG account even that hasn't had their password changed for the last five or 10 years.

Active Directory Passwords


And this might be a true security risk. And there's a couple of new features in Active Directory that I want you to know that you can use to actually tackle this challenge. And the first one is fine grain password and account lockout policies. So even if you have your users changing their passwords, for instance, every year, or if you use the default settings every 42 days, you might want your privileged accounts or your Active Directory of my accounts, for instance, to have passwords that expire more often so that admins need to change their passwords more often. And this way you can actually, mmm differentiate because between your, your normal users, the more, more tools in your Active Directory and of course your admins and those responsible for about is 9% for the latest and greatest in your organization. And then you can actually have your users change their password.

I dunno, every year, which seems to be the new norm, have admin still change their password every 30 days. Now, don't get me wrong, this is something that I feel is a best practice. But in the past with Active Directory, what we saw is that if you want to differentiate between password and the comm lockout policies until Windows server 2008 you actually had to create a different Active Directory domain with, well that's the other best practice with at least two domain controllers now. Yet now you have to manage two more domain controllers just because you want to differentiate between two groups in your organization in terms of password and account lockout policies. Well that seems a bit dumb. So Microsoft has introduced in Windows server 2008 the fine grain password and account lockout policies and we've been able to do stuff with those on a command line since Windows server 2008 through PowerShell.

But there's actually a graphical user interface available since Windows server 2012 and I'd like to, to show you that, but you know what a can we, can we, can we shift to the demo environment right away right away. So, I have a domain controller right here or a, you can see it right here for the domain that AC and I have, I've come up with, for this webinar, it's because that's how I feel with AC. And this is actually the Active Directory users in computers that most organizational admins use. And I'm just gonna enable, let's see, advanced features right here and in system. What we're seeing is that there's password policies right here, but if I go here and I click, then there's not really something that I can do. And that's because this feature is not something that you can use in your familiar Active Directory users and computers.

Mmm. MMC snapping. But you can only use it in Active Directory administrative center. So here I've switched to, to the Active Directory administrative center and I'm just going to click here on password settings container. And now I have the option to create a new password setting. I know what to do. I'm actually going to do is I'm going to give it a meaningful name, something like that. And a precedence, something that makes sense. And now I'm going to say, you know what? I want people to change their password every 30 days, for instance, for for admins.

And then I'm going to click on, okay, right here and created. Now what's fun is that the Active Directory administrative center actually is a shell around PowerShell. So what you're seeing me do is create a new 80 fine-grain password policy right there. And now if I click on it and I'd say, you know what? I want to make this apply to my domain admins or my enterprise admins or whatever, but let's click domain admins for this domain. They're now domain admins have to change their password every 30 days. So this is fun. This is very useful. It's not as fun for admins of course, or other people that have to change their password more often, but at least it makes your Active Directory and environment more secure. Now, easy, if we switch back to the slides, I just want to give you some recommended practices on this.

So, the first thing you need to know is that lowest precedence provides priority. So, the most important one is actually the fine grain password and account lockout policy with the precedence of one. So, the way you can use it is, and, and this is something that we do if we onboard a new customer for our managed service, is we create fine-grained policies for 30, 90, 180 and 365 days. And we actually given that same precedence. So if I assign multiple policies to the same user or the same group, or use a gets different policies through different group membership, what happens is, is that the most restricting one will actually have the priority. And of course if you have stricter account lockout settings or if you have more passwords remembered or something like that, you give them a lower precedence to keep that model in shape. And of course, when you assign ah, you have to disable the password never expires on accounts because if the password never expires, our option is enabled for user. That user will never have to actually change the password. The password and account lockout policy won't do anything to, to help with that.

So real world recommendations right here in this webinar. Let's talk about a second tool and let's talk about, I don't know why slides aren't moving. Let me try it this way. Here we go. Let's talk about the local administrator password solution. So this is not something that is built into active directory. We have built into Windows or build into whatever tool you're using today. You have to separately download it and install it and roll it out for it to work. But it's magic works wonders for your security. And I actually had a consulting job with an organization that had previously had some of their laptops stolen and this was a high security environment and they didn't have the local administrator password solution. So what they had was all laptops had the same local administrator password. So, if someone would have a laptop, then used a third-party tool to actually get to the password or crack the password, then he or she would have local administrator rights on all the laptops in that environment.

And this is something that you certainly don't want. What you want is administrative passwords for all your devices that are different for all your devices except for domain controllers because the main controllers don't have local administrators. The main controllers have an account for the domain admin, the building domain admin, and if you install the lapse client site extensions on a domain controller, you would get very weird results. That effect or the way that LAPS works is through a client side extension and you just install the clients are extensions to all devices in scope and then they will talk to you active directory, your Active Directory needs to pre prepared for that, so there's a schema extension as well. And then all the devices by default will change the local administrative password every 30 days. And as an admin, if you need to get local administrative privileges, if you need to log on with that account, then all you have to do is start up the elapsed UI and you can install that on the domain controller without problems.

And then just type in the device name and you'll get the local administrator password for that device. There's a couple of recommendations so don't run the LAPS client side extension on the main controllers. As I said, that will become very vague, very fast. Well these types of 30 days do not use additional local admin passwords on domain joined devices. So, as you spin up the group policy for LAPS, it will actually ask you for the local administrator password that you want to password the local account that you want the password to rotate for. Now if you have multiple accounts on those devices, LAPS can only work with one account and if you have multiple accounts, the same device that have the same password for all the older devices, then you are still, you still have the same problem so don't do that. And of course if you are used to using group policy to set local administrative password for groups of devices, then Microsoft really wants you to know that this results in passwords being stored in Cisco as a normal human being. We won't be able to actually read those passwords. Microsoft doesn't store them in clear text but they are merely encoded and there are certain PowerShell scripts available there for actually tell you which paths, which group policies contain which passwords for functionality like this and every user is able to actually run those PowerShell scripts. So that truly undermines your security posture as an organization.

Now that we've got LAPS and the other passwords done, what you actually want to think about next is the group managed service accounts because we can have surf's accounts in Active Directory that operate and work just like any other normal service account that you use to run a service but then have it change its password every 30 days by default as well. And then if you really are interested in that and most organizations are, you can actually limit the servers where the service account is actually able to provide it services. So it won't be able to log on interactively anywhere, which is what's one way to service account. But you can limit the scope of a group managed service account to just one server. And if you have the Windows server 2008 or two domain functional level or up, then you will have automatic service principal name updates.

So, the service principle name is something that limits that group managed service account. And if you rename the server for instance, then the group managed service account functionality may break. But if you have a Windows server 2008 or two domain functional level or up then Active Directory takes care of all that. So easy. Let's, let's show it. Let's go to the demo environment and, and show him, because I've got some great managed service accounts in this Active Directory. And you know what, let me first show you in users and computers because they're here as well. I have to scroll up a bit, but here's the managed service accounts container and here are some of my group managed service account. Now I'm a lazy admin myself, so I didn't add a description, but let's look at one of those managed service accounts. And actually let's right click it and ask for its properties.

And what you'll see is that there's not much use here for the group managed service account. What you actually want to do is go into the Active Directory administrative center and here go, go look. And here you'll find the same tabs, but you can actually use new and then group manager's account to create the principal names that I just talked to you about. Let's, let's look at that. So, here's a, a group managed service account for ADFS and its service principle name attribute actually tells it that it is only allowed to log on or actually to run a service adfs.idabrose and LD ADFS farm for, for this environment. So it won't be, it can't be used to log on interactively anywhere, but you can ultimately run it to run services securely without having to wonder about how, how often you need to manually change the password or how to, how to actually do that, how not to break your services but still be secure.

Using the Active Directory


 So is he- let's switch back and let's talk about some, some other things that you can do as an admin to use Active Directory more, more easily. So, the protected users and other protections are really good things that you can use, and the protected users’ group is something that you can use to security accounts in your Active Directory. The protected users’ group will actually eliminate some of the things that you can do with your account. So, for instance, when you make an account a member of that protected users’ group, what happens is, is that now, and let's see what happens. I don't know what is he is doing, but I wasn't clicking. So let's, you got some great preview now on what we're going to talk about in the session. But for instance, what happens is now the TG lifetime is limited to four hours instead of 10 hours and the TGT renewal period.

So, the amount of time that you have to log on interactively. Again, if you don't end your session manually is the same four hours instead of seven days and you will no longer be able to use NTLM and stuff like that in in environments with a Windows server 2012 or two domain functional level. So, if you want to take advantage of that, then please make sure that your Active Directory is going towards that domain functional level. Now there's a couple of tips that I want to give you, so your environment will have to run Windows server 2008 I'm sorry, Windows eight or one and up or Windows server 2012 or two and up. And if you do not meet that requirement, you will not be able to log on with the user accounted as a member of the protected users group anymore. You will just receive an error that says, you know what, you can't log on here because we're secure over here.

Don't make service accounts, managed service account or group managed service account members of the protected users’ group because these accounts typically use Kerberos constrained delegation and membership of the protected users’ group actually breaks delegation because this is something that has some risks associated to them. The protections in a protected user group are non-configurable, so don't block every admin out every admin out. Make sure that if you're a testing with this that you have at least one admin account that you don't make a member of a protected users’ group. And of course we've got authentication policies and policy silos if we want to granularly provide the same protections as to protect your users group but not want to have all of them apply any authentication policies and authentication policy silo. We'll give you a way to actually more granularly target systems where you want protections to apply and you can have more granular settings.

For instance, for the TGT lifetime and TGT renewal settings and the authentication policies and policy silos can only man- be managed and of course in the Active Directory administrative center and not in Active Directory users and groups. Just like, well basically, all the things that I've been talking about until today. And now we get to the really interesting part, which is the Active Directory recycle bin. So before the Windows server 2008 or two forest functional level before you actually implemented the Active Directory recycle bin, what happens when you delete a user is actually in a deleted state and stripped of, well for instance every group membership and stuff like that and Mark Russinovich has at launch a two 80 restorative that you can use to restore those objects back. But the only thing you would actually restore is the security identifier for that user but not its membership.



 And as Microsoft recommended practices to, well for most of the things use groups in your permissions structure, you would have your user back with the same security identifier but not as membership to those groups with the security identifiers in the access control list and the access control entries in your permission structure. So you've got some things back but not everything. So, the way deletion works in Active Directory is when you delete a user, what happens is, is that it gets tombstone. So as domain controllers communicate to each other and replicate to each other, they will need to have some objects that they can reference to actually replicate certain changes.

 So, if, if user objects, and I've deliberately taken user objects here because this is what most organizations use the Active Directory recycle bin for, but you can also use it for organizational units and for devices as well as you disabled. Or as you delete a user object. It gets a special flag. So it gets all its attributes stripped and it gets a special flag that says, you know what? This object is tombstone. So, as the domain controller replicates out, it can say, this is the object that I've tombstoned. Please tombstone it yourself as well. And that will make sure that the object doesn't show up in your management tooling anymore. And it restricts signing up and signing in with those accounts. And of course, you can reanimate or restore them, but as you reanimate them. You will notice that you will have most attributes and group memberships missing and each and every domain controller in your environment will respect the tombstone lifetime period, which is 60 days if you have a really old good Active Directory environment and 180 days, if it was set up with Windows 2003 service pack one or Windows 2008.

And after those 60 or 180 days what will happen is that each domain controller individually will, will run the garbage collection process every 12 hours and actually remove the user from database and that's when the user object is actually deleted. And then it's done, done. There's nothing we can do about it anymore. We can't reanimate it anymore and we can't do anything within anymore. So there's a 60 to 180 day period when you can re animate objects in the old model, but it's painful and you don't get anything back or everything back. And with the Active Directory recycle bin enabled, what happens is that as you delete a user, it becomes a deleted user.

I deleted items and actually an Active Directory. Now it doesn't show up in your organization, a unit or a container where they use a lift. It now shows up in the deleted items container. And from there you can actually deleted, you can actually restore it. But with all with group members, ships with all its attributes, with everything attached to it. Now of course there's a specific time period where you want to do that. And by default it is the same as your tombstone lifetime period. So if you have or still have the 60 day tombstone lifetime period, you will also have a 60 day period in which you can actually undelete an item from the deleted items container. But after it, at that period, we get into the same a process with tombstoning. And after that tombstone lifetime period, again, the user is actually disabled, disabled, deleted, deleted state in Active Directory and you can't do anything about it anymore.

Active Directory recycle bin


So, there's a couple of things that that happened with the Active Directory recycling. And for instance, one of the things is that as you enable it, you can't disable it afterwards. And that's because the entire Active Directory forest needs to obey the new rules so that you can mmm…straightforwardly undelete and restore objects and not on one domain control you can or in one domain you can. And in the other one you can't any more. The Active Directory recycle bin applies to users, to devices, to organizational units, to password policy protection, to password account policies and stuff like that. So, let me just quickly show that Andrey and it will be my last demo before I hand it over to you. So, I've got some, let me go to system again and the password settings container or I've got some password settings here as I delete the password settings, what will happen is that, oh, I don't have sufficient, that's interesting.

So, let's look it up. It's got protected from accidental deletion enabled by default, which is interesting.


Oh yeah, I was going to ask about that. That's actually, that's a good thing to show.


Yep. So that's why it's part of this demo. So I actually can't delete it then. Now I can and let's, let's delete it. I'm really sure. And then what will happen is it will show up in my deleted objects right there and I can actually right click it and say, restore or restore to. Now with a password container object, it's not really obvious that you want to restore it anyway because it can live anywhere except in that specific container. So here I can only do restore, but of course in user or another organizational unit or a device, you can restore it to a different location. And as you can see it's right back here and it even has a most things attached to it. So you can continue and, and do that. I don't think I clicked okay on the domain admins. Just let me, let me, let me see. Nope, I didn't click okay when I set it to domain admins. So it's been restored with all its settings. Now is he, let's go back to the, to the slides and I guess I need to hand it over to you and I'm asking you to show to you additional value.

Third-party tools


Yeah. Thank you so much. Alright, so with that in mind, let's switch to some other like third-party tools such as VBA, couple application because this is the one of the things that can help you to be kind of to provide the additional layer of protection over the standard tools, the default ones and the, well I have just a brief slide about Veeam. I'm very sure that you know us and you know who we are and what we do, but basically with the company with around 15 years of, yeah, data protection, we're focused on it. We strive to deliver the Cloud Data Management™ these days, but then we actually, we haven't forgotten what we started from and what we started from is the virtual machines and things that are really important for the day to day. The operations for the backup administrators including Active Directory and if you ever was wondering about Veeam, we are simple, flexible and reliable.

Those are three major things that you should really think or remember about us and with all that durations that I'm going to show you that it's like every one of them. It should be simple, flexible and reliable. And if it's not that, then we're doing a pretty terrible job and you should kind of let us know about it. Okay, so let's actually switch to data. Well to Active Directory data protection cycle and then I wanted to quickly to show you an environment which is on the left side of the screen. The environment could consist of the virtual, the main control and the physical controls. It actually doesn't matter what matters for us and for you, so to speak, should be to be able to do the backup of the data. And I'm talking about the whole Active Directory and the whole domain controller or the bunch of them to protect them.

And so how you can do it is by installing the Veeam, either Agent for Windows, which is really good for the physical domain controllers or a couple of application which actually has the Veeam Agent for Windows built in or it actually works for the virtual machines for vSphere and for Hyper-V and what you have to do there, and I'm going to show you a couple of demos later on, you have to go there and you have to just enable one small but really important option; the application that we're processing. And once you knew that we take care of the of the data that is inside of the virtual machine because we have this special logic to actual to the tech, the, the main controller services and to be able to prepare it for a later recovery if that's going to happen. Once you have the backup of the, the main controller and there is also another important thing you can do there, you can actually verify the recoverability of that backup. And for that, well I'm going to have an additional slide, but then there is a certain functionality named SureBackup®. It allows you to create the isolated copy of the environments next to the actual environment, but at the same time not messing up with the production. And then to be able to check how your, the main services or the main controls would be running in of disaster recovery. And for the actual recovery or for the grander object to Calgary, you can use the Veeam Explorer™ for Active Directory, which is also included into the game. A couple of implication and all of those I'm going to show you in just a couple of seconds.

Alright, so for the application where much processing, I was just briefly wanting to mention that of course we rely on VSS and the Active Directory as something that's here was developed by Microsoft itself. They have the VSS writers developed for the services. And so once we actually kind of gets to domain controller, we talked to the VSS services and we prepare, we talk to the writers and we tell them that's okay. It's time to flush all the data and it's time to be in a consistent state because if you don't enable application-aware image processing, the backup of the main controller will be crashed consistent. And this is probably not something that you want to deal with later cause it might backfire. You just, you don't want to, to see that for the data labs for the recoverability or verified recoverability, I wanted to show you the, the, the simple graphics, how you can actually imagine that system to work.

So, imagine again you have the virtual environment with a backup storage somewhere and you have the backup files, compress the dupes, all that. But then you actually need to check or what is going to happen if you have the event of disaster recovery and how you can do it. You can dedicate the part of your environment and create the isolated virtual lab there. We use the separate kinda network outlines, which is the tiny Linux VM and then it does all the routine and I'm going to provide, going to actually isolate that virtual lab from the production environment. And so, what's then is going to happen is that if you enabled application group, which is the, the group of virtual machines that are interdependent with each other, let me give you an example of the main controller and SQL server and Exchange server. And you know that you cannot just simply start the SQL server without the main services being in place.

So for that you would go to Veeam, you would enable the notion of application groups, you would put all the interdependent VMs together and then you will create the sure backup job which will allow you to actually run those VMs in automatic way and to check the up, the VM itself, whether it could be booted up, the, you know, the things, their operating system that is running inside the VM and the application itself. And in terms of the main controller, you have the options there to actually to either to check the let's say one the 39 ports, whether they're and the services are started or to inject the manual script and run some, I dunno, the estuary. And so you would be sure that all that happened successfully. And then after that you will receive the report that show backup jobs around fine and it successfully checked everything that you wanted to check.

Okay. This is for recoverability, for verified recoverability in automatic way and then the Explorer for Active Directory and I'm going in just a minute. I'm going to show you how it works, but then essentially it's an addition to the main software to a couple of application and it's specifically the tool to provide you with a simple view into the Active Directory, all the data that you have there so you can compare it with the production and this is basically, it's a really good advantage of this specific tool. And then to recover anything that you want to, to go and to, to be as granular as the individual objects there. And then if you click on the advanced settings, you will be able to see the GPS and the DNS records and this schema partitions, all that.

All right. Just wanted to briefly to tell you about the whole kind of event where you have, well you have an issue with the Active Directory and then you need to recover. The domain controller. On the next slide I'm going to show you what exactly would happen, but then let me bringing you a couple of situations here. So if you have the multiple domain controllers environment and then one of the VCs failed, so probably it's not a big deal and it happens kinda regularly, but then what you have to do is you have to rely on Veeam, because we, if you have the backup done with Veeam with VBA couple implication, we already kind of anticipated the issue and by default we're going to do the non-authoritative restore and automatically reboots the main controller. Well first of all it's going to be put it into the RSM world and then into the regular mode and then it would be just receiving all the information from the other domain controllers in there in the main there.

Imagine the situation when actually everything failed and you're trying to rebuild the whole Active Directory services there and so nothing has survived but then you, you don't have rebuild everything from discretion. Obviously you want it some data to be just recovered from the backup and for debts. Obviously, well you're not lucky and I really hope that you don't, you are not going to deal with it, but then most likely what you'll have to do is you'll have to pause them, authoritative restore of one of their domain controllers. You have to a, well read the knowledge base article because it really depends on whether you are using the GFRs services or if you're still on FRS replication and then depending on that, the recovery process would be different. On the next imaginary situation is that you have the corrupted Active Directory and it just the, some data is corrupted and so you then have to recover everything.

You then have to recover multiple domain controllers, but you have to recover one and kind of ran their all their existing data obsolete. So for that you would do them well, you would do that authoritative restore and then you would, we would actually force the main controller by using the NTDs UTL utility or something like that to actually to, to be the original source of the data and to replicate the data from this particular back. Anyways, I guess what's really important about that is we have all those things, the command it you can, I'm just having this slide here because they really wanted to have it because we are going to share the slides and it would be much easier later on for you to click things and to see the instructions, but then we have the best practices for like up in the recovery.

We have the best practices for recovering the domain controllers. Like I told you before, whether you're using different replication mechanisms, so you just click there and you see the appropriate situation, what happened to you and you've just followed the rules because this is something that people have been asking us for. for ages. And then we have the, we need, well, Sander and another colleague of mine, Timothy, that he did a really great deep dive into Active Directory a couple of years ago and they checked it recently. I do not really think that it's obsolete. It's still valid. All the information that they provided, it's really great. I'm talking about the third item here and then if you're concerned about that, the granular recovery of Active Directory objects, you can check my white paper cause I wrote it at my expense. Well definitely some time to do cover all the nuances of recovering the particular objects there.

Demo of company implication


All right. With that, let me briefly, which do my environment, let me show you around so you'll be familiar with having a couple implication. So I'm running the up company implication here and this is one of the, well this is the flagship product of us and it all starts with the notion of their wealth on backup job. So if I'm, if I get the mouse here, that would be an interesting challenge. No, I didn't think I don't have it. But then okay I don't see it reading, then I can click somewhere. That's really interesting. So, what I'm going to do now, I'm going to, oh there you go. Having the miles back. So, you go here and then you create the backup job. I'm just going to quickly and show you what he should be really worried about. So for the virtual machines on the second step you have to include the, the main controller or basically all the environment.

It really, it doesn't matter what exactly you're going to include here. But then the most interesting parts, if you are concerned about Active Directory protection, it's this particular setting. I told you before about it. So, we have team enabled, application aware processing and there you go. You don't have to actually click on applications. You don't have to go like anywhere. Cause if you, if you do, you can select your domain controller and then it won't be anything interesting for you probably except the script sparks where you can actually provide it with the power shell scripts to include it there. And so, it would be automatically pushed from the backup server to them, the main controller and it would be executed there. And then after that the backup would be done. But then besides of that, it doesn't actually require to you to have any scripts whatsoever. You just enable application aware processing and there you go.

So as long as you do that, you can then come to the backups that are on a desk and then you can see my domain controller here. And so, if I right click on it and come to the restore of application items, I can already see that my Microsoft Active Directory objects are ready for me. So I can do the Runwell recovery for them. And then when I click finish, they will essentially bring me their Veeam Explorer for Microsoft Active Directory with my, the Active Directory database up medically mounted here. If I did not enabled application where processing it would not know about my database. But then regardless of that I can just come here and that it's manually cause I need to know the, the placement of the DIT file and then I can just go there and edit manually. But then most likely I don't have to do it right now.

So, you can see by default, like I told you before, the user, some computers and the GPLS, obviously. If you want to be really advanced, you can click on advanced features here and to have also the integrated DMS records, their configuration partition schema for their users and computers. Let's actually click somewhere and let's, let's see. I guess the most interesting parts of it, especially if we have to compare with, with the Active Directory recycle bin, is that you can actually compare with, with the production. And so by clicking here, I'm just going to compare it with the production. Okay. It seems to be fine, but then I would really love it to show me just the changed objects. Okay. Those are two objects and I actually, I think I need to have more than that. So I'm just going to my main controller and I'm going to delete someone.

Like this particular user. I don't like Aaron for some reason. Okay. So with that I need to actually to refresh it. So it's going to the check the current situation on my, the main controller and now you can see that Aaron is different these days. And so they are the items status. Tombstone, I don't have the recycle bin enabled so it was tombstone automatically. So I can just view the attributes, I can see all the information there even though part of it was stripped already. And then what's interesting about that is I can actually, let's, let's actually, let's come borrow the attributes. You see the object has been dumped, stoned and now probably I need to recover it back to the original location or I can export it and to just read it. If I have time then let's actually restore it back. Alright. Restore summaries, easy, so it was successfully restored. All the, I can see all the information which is here of all the users. And the most interesting part is that even the user's password was restored. So if I come back and if I just refresh, you should be able to see my, come on come back.


Yeah, you should be able to see Aaron being back here in, so if the Aaron is that person that is coming to the office and just try to log in, but it was, you know, his account was deleted for some reason and he could not log in properly and so he was like panicking and screaming all around. But then right now he should be able to just come back to his working environment and just look, look in into the environment. So that's one of the, I would say the benefits of having this solution in place. So, users on the, yeah, you know, really giving you a hard time. Okay. With that, I know that Sander wanted me to emphasize here on the elder filter, but then we don't have that much time with them just while it's here. Then the refill a couple of words you can, yeah, you can say about that.


Yeah. Sorry. I will. That filter is, is really, really strong. So I once had a, a project where I had to restore stuff as well. And actually I wasn't even one deleting it. Not even one of my project team lead but or, members. But that's okay. And what I needed was to restore everybody but not people that were no longer visible in the global address list in a chain server. And this is actually an attribute in Active Directory and probably elder filter. We were actually able to filter out those accounts so that we didn't have to restore them. Really, really useful at that time. And I think that there's many more scenarios where you'd actually want to use that filter.


Definitely. But then like I said before, don't have that much time to actually have to show it around. So, I'm going to close the Explorer for Active Directory. And the last thing I'm going to show is that, yeah. Remember I was saying the things about the application group and their ability to check the recoverability of things. And so, this is the, oh, this is the place in backup infrastructure. This is the sure backup to check the recoverability of data and application group is something that's, again, I mentioned a couple of interdependent themes and for one of them, for the domain controller you can just click on edit and yeah, this is really important here cause you can manually select the role of the particular virtual machine, whether it's a DNS server or the main controller or the global catalog server. You can just select it here. So what happens after is that we are going to check all the services now once this particular VM will be put it up in the isolated environments, we're going optimistically check those services if they're running, if they're running fine. So with that you will just, you'll be sure that in case of disaster you will have the valid copy of the data of the domain controller. And so whenever you need to actually recover it, you will be able to. Okay. And again, not really much of time right now. Let me actually, I think I can conclude the demo for now and we can take the questions because we have a couple of questions and I would love them to be answered. Sander, what about you?



Yeah, definitely. Yes. So obviously because Active Directory is so straightforward, the two most important questions that we got were on Veeam. So one of the things there is the licensing of assure backup and data labs.


Okay. If we're talking about the show backup and the data labs, those are the kind of the perks that are coming with the enterprise and then their price plus version. But then essentially you'll need the enterprise to the edition, the enterprise edition of the book application to, to have it in place. If we're talking about the Explorer for Active Directory, it's even included into the free version, which is not free anymore. We call it the community edition version. And this is basically the standard functionality right now. So with that you have all the options except a recovering back to the original allocation. So, for, for that you could cover things granularly, different objects and then kind of use it as, I dunno, like temporary stage to Calvary. But then if you need the convenience of the recovery to original place, you would go with the- Enterprise or Enterprise plus aggression. And if we're talking about the instance licensing that is, well it's not instance, it's universal license for, for a moment they're kind of new concept that we have with Veeam. It also comes with the Enterprise population. So if you're just starting with it, you will have all the perks that you need.

Right. Anything else Sander?


Yes. So, one of the other things is a question that someone has about replication and replication jobs and I don't have much experience with those because that feature is not available on Hyper-V but well from theme. But if you, I'm really glad that you specifically tell people to check the application web processing box. So the question is of course we have to enable that check box when we back up the main controllers. Do we also have to check that box if we replicated servers?


Yes. So that the backup and replication mechanisms, they're sharing the same logic. And then if you replicated the main controller, then yes, just to enable that application of our processing. So we are going to prepare them. I guess this is the most important part. We're going to prepare the main controller, well the data being in a backup. So for the potential recovery. So next time the data would be — the domain controller — would be recovered from the backup file. It will already know that. Okay. And there was the backup that happened with it and so it should not, it should behave properly. So this is the one of the good things about their application that we're processing itself. So we are preparing the domain controllers for the potential recovery and yeah, for both, for backups and replicas. Awesome.


Alright. And the other one that, the other question that really stands out is, is Veeam available for cloud infrastructure?


Well, I, yeah, it's interesting one. Yeah.


I mean I think the wording is interesting. Yes. So, so, so, so let's dive into that. So what is cloud infrastructure? If we're talking about domain controllers that are running as virtual machines in Microsoft Azure or Amazon AWS, then, then I guess the answer is yes, but because you can use the Veeam, the Agent for that.


Yeah. Well, you can use Veeam Agent or you can use the newly released, the backup for AWS sense soon to be released back and forth, Azure replicate to them. But then I, I'm really curious about the question then whether we, you know, interpreted it properly.


Yeah. So the other way that the question could have been asked is, so can I use Veeam to backup to cloud storage?


Well the answer is yes. We with the newest versions or for a couple of years already, we support the, we have the cloud connects program to support all the partners of Veeam participants of Veeam Cloud and Service Provider program. And also, the object storage is the public ones being AWSS free or Azure blob or IBM object storage or STD compatible storage's then yeah, you can bring the data there in case something happens with your physical infrastructure, you can bring it back from the clouds to, to actually to run everything back.


Yep. So another question that we just received was why is there no Windows server 2019 forest functional level directory? Yes.


You have to take that one.


Yes, yes. So, we don't just get Veeam questions. We also get Active Directory. Yeah, perfect. So Microsoft is as wanted to do away with domain forest functional levels because they are a pain to many Active Directory admins, so whenever they release new features in Active Directory they always try to not make it something that is dependent on a forest functional level or domain functional level. And to say politically is that there are no new features in Active Directory in Windows server 2019 that require a domain function level. The forest functional level. The other way of saying it is shorter and it says there are no new features in Active Directory in Windows server 2019 which is also at least for the largest part. True. There are some things that are that have changed on the water, but there's, there's not a lot of changes in Windows server 2019. Of course that's just one of the ways that a domain functional level we're first function level is actually used. The other way is that it helps add means to prevent other admins to introduce the main controllers with our lower Window server version. But as there are no new features, it doesn't really matter if your domain controllers run Windows. So 2016 we were going to server 2019


I guess to conclude that it would be that Microsoft finally decided to give to me it was a good time. And you know, not to learn a lot of new things related to Active Directory. And so if we know the best practices for, I dunno, for 2016 or 2012 it would be still the same. It's gonna be still the case, probably probably like that. And would that information, I know we're at the top of the hour and people are busy these days, so thank you very much everyone for the coming. And like I said before, all the recordings and slides are going to be distributed to you later on. And again, I wish you a really nice day and thank you for watching us. Thank you.


Thank you. Bye bye.

Duration: 1:03:15

Register to watch

By registering, you agree that your personal data will be managed by Veeam in accordance with the Privacy Policy.