September 20, 2016 at 11:19Backing up domain controllers with Veeam
Microsoft Active Directory is the standard in infrastructure where user authentication and centralized management are required. It is almost impossible to imagine how system administrators would manage their work without this technology. However, the use of Active Directory is not only of great benefit, but also imposes great responsibility, requiring considerable time and understanding of work processes. Therefore, I bring to your attention several articles that will tell you how to successfully backup and restore Active Directory using Veeam solutions. In particular, I will explain how Veeam helps to make copies of domain controllers (DCs) or individual AD objects and, if necessary, restore them.
And I'll start with the fact that in today's post I will talk about the backup capabilities of physical and virtual domain controllers provided by Veeam, and what you need to remember during backup. For details - under cat.
Active Directory services are designed with redundancy in mind, so the usual backup rules and tactics must be adapted accordingly. In this case, it will be incorrect to use the same backup policy that already works for SQL or Exchange servers. Here are some guidelines to help you design your backup policy for Active Directory:
Since Active Directory services consume a small part of system resources, domain controllers are usually the first candidates for virtualization. To protect a virtualized controller with Veeam, you need to install and configure Veeam Backup & Replication.
Important! The solution works with a domain controller VM on Windows Server 2003 SP1 and higher; the minimum supported forest functional level is Windows 2003. An account must be granted Active Directory administrator rights — you can work under the account of an enterprise or domain administrator.
The installation and configuration process of Veeam Backup & Replication has been covered several times - for example, in a video,prepared by a Veeam system engineer, so we’ll get along without the details. Suppose everything is set up and ready to go. Now you need to create a backup task for the domain controller. The setup process is quite simple:
You can further backup to the cloud using the Veeam Cloud Connect service provider (VCC). It can also be migrated to another backup repository using backup archiving tasks or tape archiving functionality. The most important thing is that now the backup copy is stored in a safe place, and you can restore the necessary data from it at any time.
Honestly, I hope you keep up with the times, and in your company domain controllers have long been virtualized. If this is not so, then I hope that you update them regularly and they work on relatively modern versions of Windows Server — Windows Server 2008 (R2) and higher. (There will be a separate article on the nuances of working with older systems).
So, you have one or more physical domain controllers running under Windows Server 2008 R2 and higher, and you want to protect them. In this case, you need Veeam Endpoint Backup, a solution designed specifically to protect the data of physical computers and servers. Veeam Endpoint Backup copies the necessary data from the physical machine and saves it in a backup file. In the event of an accident, you can restore the data “to bare metal” or perform recovery at the logical drive level. In addition, you can restore individual objects using Veeam Explorer for Microsoft Active Directory.
We do the following:
That's all: the backup is done, the domain controller is protected. Go to the repository and find the desired backup or backup chains.
If you configured the Veeam Backup & Replication repository as the target storage for backups, then the newly created backups will be displayed in the infrastructure panel Backups> Disk, point Endpoint Backups.
Of course, a successful backup is a good start, but not all. Obviously, a backup is worthless if data cannot be restored from it. Therefore, in the next article I will talk about various Active Directory recovery scenarios, including restoring a domain controller, as well as restoring individual deleted and changed objects using Microsoft's own tools and Veeam Explorer for Active Directory.
And I'll start with the fact that in today's post I will talk about the backup capabilities of physical and virtual domain controllers provided by Veeam, and what you need to remember during backup. For details - under cat.
Active Directory services are designed with redundancy in mind, so the usual backup rules and tactics must be adapted accordingly. In this case, it will be incorrect to use the same backup policy that already works for SQL or Exchange servers. Here are some guidelines to help you design your backup policy for Active Directory:
- Find out which domain controllers in your environment act as Flexible Single Master Operations (FSMOs).
Useful: a simple command to verify through the command line: > netdom query fsmo
When performing a full domain recovery, it is best to start with the domain controller with the largest number of FSMO roles - this is usually a server with the role of the emulator of the primary domain controller (PDC). Otherwise, after recovery, you will have to reassign the appropriate roles manually (using the ntdsutil seize command). - If you want to protect individual objects, then you do not need to backup all the controllers available on the production site. To restore individual objects, one copy of the Active Directory database (ntds.dit file) will be sufficient.
- There is always the opportunity to reduce the risk of accidentally or intentionally deleting or modifying AD objects. You can recommend the delegation of administrative authority, restricting access with elevated rights, as well as replication to the backup site with a predefined delay.
- It is generally recommended that you back up domain controllers one at a time and so that it does not overlap with DFS replication. Although modern solutions know how to solve this problem.
- If you use a virtual VMware environment, the domain controller may not be accessible over the network (for example, it is in the DMZ zone). In this situation, Veeam will switch to the connection through VMware VIX and will be able to process this controller.
If you have a virtual DC
Since Active Directory services consume a small part of system resources, domain controllers are usually the first candidates for virtualization. To protect a virtualized controller with Veeam, you need to install and configure Veeam Backup & Replication.
Important! The solution works with a domain controller VM on Windows Server 2003 SP1 and higher; the minimum supported forest functional level is Windows 2003. An account must be granted Active Directory administrator rights — you can work under the account of an enterprise or domain administrator.
The installation and configuration process of Veeam Backup & Replication has been covered several times - for example, in a video,prepared by a Veeam system engineer, so we’ll get along without the details. Suppose everything is set up and ready to go. Now you need to create a backup task for the domain controller. The setup process is quite simple:
- Run the backup job creation wizard.
- Select your domain controller.
- Define a retention policy for the backup chain.
- Turn on the data processing function taking into account the state of applications (Fig. 1) to ensure transaction-level consistency for the OS and applications running on the VM (including databases for Active Directory data and SYSVOL directory). To do this, select the Enable application-aware image processing (AAIP) option.
AAIP is Veeam technology that provides VM backup based on application status. It searches for guest OS applications, collects its metadata, “freezes” using appropriate mechanisms (Microsoft VSS Writers), prepares the recovery procedure using VSS for applications, which will be performed the first time the restored VM starts, and truncates transaction logs if successful backup completion. If AAIP is not enabled, the guest OS of the domain controller will not understand that it has been backed up and secured. Therefore, after some time, you may find an internal warning in the Event ID 2089 server logs : backup latency interval (i.e. backup was not performed during the backup delay interval). - Set the schedule for the task or run it manually.
- Verify that the job completed successfully.
- Find the newly created backup file in the repository - done!
You can further backup to the cloud using the Veeam Cloud Connect service provider (VCC). It can also be migrated to another backup repository using backup archiving tasks or tape archiving functionality. The most important thing is that now the backup copy is stored in a safe place, and you can restore the necessary data from it at any time.
If you have a physical DC
Honestly, I hope you keep up with the times, and in your company domain controllers have long been virtualized. If this is not so, then I hope that you update them regularly and they work on relatively modern versions of Windows Server — Windows Server 2008 (R2) and higher. (There will be a separate article on the nuances of working with older systems).
So, you have one or more physical domain controllers running under Windows Server 2008 R2 and higher, and you want to protect them. In this case, you need Veeam Endpoint Backup, a solution designed specifically to protect the data of physical computers and servers. Veeam Endpoint Backup copies the necessary data from the physical machine and saves it in a backup file. In the event of an accident, you can restore the data “to bare metal” or perform recovery at the logical drive level. In addition, you can restore individual objects using Veeam Explorer for Microsoft Active Directory.
We do the following:
- Download Veeam Endpoint Backup FREE and copy the installer to the desired server.
- Run the installation wizard, accept the license agreement and install the program.
Note: to complete the installation automatically, use the appropriate instructions. - Create a backup task by selecting the desired mode. The easiest and recommended way is to back up the entire computer. Using the backup mode at the file level (file-level mode), select the operating system as the copy object. In this case, the program will copy all the files necessary for recovery "bare metal". The Active Directory database and SYSVOL directory will also be saved. More details can be read, for example, in this post.
Note:If Veeam Backup & Replication is already installed in your environment and you want to use the existing Veeam repository to store backup copies of physical machines, you can reconfigure it directly from Veeam Backup & Replication. To do this, right-click on the desired repository while holding down the CTRL key, and in the dialog that opens, allow access to the repository by selecting the desired option. If necessary, enable encryption there by selecting Encrypt backups stored in this repository.
- Run the task and make sure that it passed without errors:
That's all: the backup is done, the domain controller is protected. Go to the repository and find the desired backup or backup chains.
If you configured the Veeam Backup & Replication repository as the target storage for backups, then the newly created backups will be displayed in the infrastructure panel Backups> Disk, point Endpoint Backups.
Instead of a conclusion
Of course, a successful backup is a good start, but not all. Obviously, a backup is worthless if data cannot be restored from it. Therefore, in the next article I will talk about various Active Directory recovery scenarios, including restoring a domain controller, as well as restoring individual deleted and changed objects using Microsoft's own tools and Veeam Explorer for Active Directory.