April 17, 2017 at 14:07Restoring Group Policy Objects (GPOs) with Veeam Explorer for Active Directory
- Transfer
- Tutorial
At the end of a series of articles about backing up and restoring Active Directory today, I would like to dwell on the Veeam Explorer functionality for Microsoft Active Directory as part of Veeam Backup & Replication versions 9 and 9.5.
I note that the tools of the Veeam Explorers line are updated with every release of Veeam Backup & Replication, so I advise, firstly, always check the version number you have in order to understand which set of features you will be dealing with. Secondly, I recommend that you ensure that the most current of the supported versions of Veeam products is always deployed in your infrastructure.
So welcome to cat.
As many remember, Veeam Explorer for Microsoft Active Directory first saw the light as part of Veeam Backup & Replication version 8. Initially, it was designed to solve the most common tasks of recovering Active Directory - that is, it was able to recover objects, containers, user passwords, and exported data in LDIFDE format.
All this, of course, was not bad, but, as always, the administrators wanted more. We collected product reviews in online communities and forums, and users willingly offered new features and talked about less trivial tasks that they have to solve in everyday life. For example, it turned out that in addition to regularly adding users and computers to the domain and removing them from there, it is necessary to restore the Group Policy Object (GPO) and / or DNS-integrated record from time to time. As a result, starting with Veeam Backup & Replication version 9, this functionality was included in our solutions.
Important! Before you begin, make sure that you are working with Veeam Backup & Replication 9.0 or higher, and that you have a correctly created backup of the domain controller (how to create it for a virtualized domain controller using Veeam was described here ).
The recovery procedure is very simple:
Useful: You can enable the Compare selected object mode and select View attributes to see the differences between the GPO in the backup and in the production.
In addition, starting with version 9, Veeam Explorer for Microsoft Active Directory can recover:
By default, the display of these objects in the Veeam Explorer console is turned off. To enable it, click on Advanced Features on the Home tab :
Of course, we could not do without new features in version 9.5. Here we added support for Active Directory forests operating at the functional level of Windows Server 2016. In addition, we implemented restoration of such useful objects as:
These features will certainly interest those whose domain controllers are running on Windows Server 2016, as well as those who use the capabilities of Azure to create hybrid domains. The best part is that they work without additional tricks and intricate settings, right out of the box.
In conclusion, as usual, I urge you to leave your wishes, comments and suggestions on the work of Veeam Explorer (and not only) in the comments and on the Veeam forum .
I note that the tools of the Veeam Explorers line are updated with every release of Veeam Backup & Replication, so I advise, firstly, always check the version number you have in order to understand which set of features you will be dealing with. Secondly, I recommend that you ensure that the most current of the supported versions of Veeam products is always deployed in your infrastructure.
So welcome to cat.
A bit of history
As many remember, Veeam Explorer for Microsoft Active Directory first saw the light as part of Veeam Backup & Replication version 8. Initially, it was designed to solve the most common tasks of recovering Active Directory - that is, it was able to recover objects, containers, user passwords, and exported data in LDIFDE format.
All this, of course, was not bad, but, as always, the administrators wanted more. We collected product reviews in online communities and forums, and users willingly offered new features and talked about less trivial tasks that they have to solve in everyday life. For example, it turned out that in addition to regularly adding users and computers to the domain and removing them from there, it is necessary to restore the Group Policy Object (GPO) and / or DNS-integrated record from time to time. As a result, starting with Veeam Backup & Replication version 9, this functionality was included in our solutions.
Getting down to recovery
Important! Before you begin, make sure that you are working with Veeam Backup & Replication 9.0 or higher, and that you have a correctly created backup of the domain controller (how to create it for a virtualized domain controller using Veeam was described here ).
The recovery procedure is very simple:
- In the Veeam Backup & Replication console, select the desired backup, and then from the Restore group commands select Application Items - Microsoft Active Directory ;
- Specify the recovery point, where we want to recover from;
- Veeam Backup & Replication mounts it on a backup copy server, retrieving the Active Directory database and SYSVOL directory from the backup, and automatically opens them for viewing contents in Veeam Explorer for Microsoft Active Directory;
- If everything went as planned, then on the left, in the hierarchy tree under the Users and Computers container, you will see the Group Policy Objects container ;
- Find the GPO you need (you can start the search) and perform restoration or export by selecting the corresponding menu item.
Useful: You can enable the Compare selected object mode and select View attributes to see the differences between the GPO in the backup and in the production.
In addition, starting with version 9, Veeam Explorer for Microsoft Active Directory can recover:
- Active Directory-integrated DNS records (DNS records integrated into Active Directory and replicated as part of Domain Services replication);
- Objects in the Active Directory configuration section (this is the AD section containing information about all domains, sites and services within the forest; there is such a section for each forest, it is replicated to all domain controllers).
By default, the display of these objects in the Veeam Explorer console is turned off. To enable it, click on Advanced Features on the Home tab :
What's new in version 9.5?
Of course, we could not do without new features in version 9.5. Here we added support for Active Directory forests operating at the functional level of Windows Server 2016. In addition, we implemented restoration of such useful objects as:
- Forest objects running at the functional level of Windows Server 2016 and using the Windows Server 2016 Directory Services for Active Directory (including password recovery for user and computer accounts);
- Expired links: they are provided with export to an LDF file - something that the LDIFDE utility cannot do;
These features will certainly interest those whose domain controllers are running on Windows Server 2016, as well as those who use the capabilities of Azure to create hybrid domains. The best part is that they work without additional tricks and intricate settings, right out of the box.
In conclusion, as usual, I urge you to leave your wishes, comments and suggestions on the work of Veeam Explorer (and not only) in the comments and on the Veeam forum .
useful links
- Backing up domain controllers with Veeam
- Restoring a domain controller from backup using Veeam
- Recover deleted virtualized Active Directory objects from tombstone objects
- Active Directory Recycle Bin: Usage Guidelines
- Overview of Veeam Explorer for Active Directory (in Russian)
- User Manual (in English)