Backing up domain controllers with Veeam
Microsoft Active Directory is a standard in infrastructure where user authentication and centralized management is required. It is almost impossible to imagine how system administrators would do their job without this technology. However, the use of Active Directory not only brings great benefits, but also imposes great responsibility, requiring considerable time and understanding of the work processes. Therefore, I bring to your attention a few articles that will tell you how to successfully backup and restore Active Directory using Veeam solutions. In particular, I will explain how Veeam helps to make copies of domain controllers (DC) or individual AD objects and, if necessary, restore them.
And I will begin by telling you in today's post about the possibilities for backing up physical and virtual domain controllers provided by Veeam, and what needs to be remembered during backup. For details - under the cat.
Active Directory services are designed for redundancy, so familiar backup rules and tactics need to be adapted accordingly. In this case, it will be wrong to use the same backup policy that already works for SQL or Exchange servers. Here are a few recommendations that can help with the development of backup policy for Active Directory:
')
Since Active Directory services consume a small portion of system resources, domain controllers usually become first candidates for virtualization. To protect a virtualized controller with Veeam, you need to install and configure Veeam Backup & Replication.
Important! The solution works with a VM domain controller on Windows Server 2003 SP1 and higher, the minimum supported forest functional level is Windows 2003. The account must be granted Active Directory administrator rights — you can work under the account of the administrator of an enterprise or a domain.
The process of installing and configuring Veeam Backup & Replication has already been covered several times - for example, in a video prepared by a Veeam system engineer, so we’ll do without details. Suppose everything is set up and ready to go. Now we need to create a task for the backup of the domain controller. The setup process is quite simple:
You can optionally back up your backup to the cloud using the Veeam Cloud Connect service provider (VCC). It can also be transferred to another backup repository using backup archiving tasks or a tape archiving functionality. The most important thing is that now the backup is stored in a safe place, and from it at any time you can restore the necessary data.
Honestly, I hope that you keep up with the times, and in your company domain controllers have long been virtualized. If this is not the case, then I hope that you regularly update them and they work on relatively modern versions of Windows Server OS — Windows Server 2008 (R2) and higher. (On the nuances of working with older systems will be a separate article).
So, you have one or more physical domain controllers running under Windows Server 2008 R2 and higher, and you want to protect them. In this case, you need Veeam Endpoint Backup, a solution specifically designed to protect the data of physical computers and servers. Veeam Endpoint Backup copies the necessary data from a physical machine and saves it to a backup file. In the event of an accident, you can recover data "on bare metal" or perform recovery at the level of the logical disk. In addition, you can restore individual objects using Veeam Explorer for Microsoft Active Directory.
Do the following:
That's all: backup is done, the domain controller is protected. Go to the repository and find the desired backup or backup chains.
If you have configured the Veeam Backup & Replication repository as a target backup storage, the newly created backups will be displayed in the Backups> Disk infrastructure panel, Endpoint Backups item.
Of course, a successful backup is a good start, but not all. Obviously, a backup is worth nothing if you cannot restore data from it. Therefore, in the next article I will talk about various scenarios for restoring Active Directory, including restoring a domain controller, as well as restoring individual deleted and modified objects using Microsoft’s own tools and Veeam Explorer for Active Directory.
And I will begin by telling you in today's post about the possibilities for backing up physical and virtual domain controllers provided by Veeam, and what needs to be remembered during backup. For details - under the cat.
Active Directory services are designed for redundancy, so familiar backup rules and tactics need to be adapted accordingly. In this case, it will be wrong to use the same backup policy that already works for SQL or Exchange servers. Here are a few recommendations that can help with the development of backup policy for Active Directory:
')
- Find out which domain controllers in your environment play the role of FSMO (Flexible Single Master Operations).
Useful: a simple command to check from the command line: > netdom query fsmo
When performing a full domain recovery, it is best to start with the domain controller with the largest number of FSMO roles — usually a server with the role of an emulator of the primary domain controller (PDC). Otherwise, after recovery, you will have to reassign the corresponding roles manually (using the ntdsutil seize command). - If you want to protect individual objects, then you do not need to backup all controllers available on the production site. To restore individual objects, one copy of the Active Directory database (ntds.dit file) will suffice.
- It is always possible to reduce the risk of accidentally or intentionally deleting or modifying AD objects. We can recommend the delegation of administrative authority, restriction of access with elevated rights, as well as replication to the reserve site with a pre-set delay.
- It is usually recommended to back up domain controllers alternately and so that it does not overlap with DFS replication. Although modern solutions know how to solve this problem.
- If you are using a VMware virtual environment, a domain controller may be unavailable over the network (for example, it is located in the DMZ zone). In this situation, Veeam will switch to a connection through VMware VIX and will be able to handle this controller.
If you have a virtual DC
Since Active Directory services consume a small portion of system resources, domain controllers usually become first candidates for virtualization. To protect a virtualized controller with Veeam, you need to install and configure Veeam Backup & Replication.
Important! The solution works with a VM domain controller on Windows Server 2003 SP1 and higher, the minimum supported forest functional level is Windows 2003. The account must be granted Active Directory administrator rights — you can work under the account of the administrator of an enterprise or a domain.
The process of installing and configuring Veeam Backup & Replication has already been covered several times - for example, in a video prepared by a Veeam system engineer, so we’ll do without details. Suppose everything is set up and ready to go. Now we need to create a task for the backup of the domain controller. The setup process is quite simple:
- Run the backup job creation wizard.
- Select the desired domain controller.
- Define a retention policy for the backup chain.
- Enable data processing based on the state of the applications (Fig. 1) to ensure consistency at the transaction level for the OS and applications running on the VM (including the database for Active Directory data and the SYSVOL directory). To do this, select the option Enable application-aware image processing (AAIP).
AAIP - Veeam technology, which provides backup VM based on the state of applications. It searches for guest OS applications, collects their metadata, “freezes” using appropriate mechanisms (Microsoft VSS Writers), prepares a recovery procedure using VSS for applications that will be performed when the restored VM is first launched, and truncates transaction logs if successful. complete backup. If AAIP is not enabled, the guest OS of the domain controller will not understand that it has been backed up and protected. Therefore, after a while, you may find an internal warning in the Event ID 2089: backup latency interval server logs (i.e., no backup was performed during the archiving delay interval). - Set the schedule for the job or run it manually.
- Verify that the task completed successfully.
- Find the newly created backup file in the repository - that's it!
You can optionally back up your backup to the cloud using the Veeam Cloud Connect service provider (VCC). It can also be transferred to another backup repository using backup archiving tasks or a tape archiving functionality. The most important thing is that now the backup is stored in a safe place, and from it at any time you can restore the necessary data.
If you have physical DC
Honestly, I hope that you keep up with the times, and in your company domain controllers have long been virtualized. If this is not the case, then I hope that you regularly update them and they work on relatively modern versions of Windows Server OS — Windows Server 2008 (R2) and higher. (On the nuances of working with older systems will be a separate article).
So, you have one or more physical domain controllers running under Windows Server 2008 R2 and higher, and you want to protect them. In this case, you need Veeam Endpoint Backup, a solution specifically designed to protect the data of physical computers and servers. Veeam Endpoint Backup copies the necessary data from a physical machine and saves it to a backup file. In the event of an accident, you can recover data "on bare metal" or perform recovery at the level of the logical disk. In addition, you can restore individual objects using Veeam Explorer for Microsoft Active Directory.
Do the following:
- Download Veeam Endpoint Backup FREE and copy the installer to the correct server.
- Run the installation wizard, accept the license agreement and install the program.
Note: to install automatically, use the appropriate instructions. - Create a backup task by selecting the desired mode. The easiest and recommended way is to back up the entire computer. Using the file-level mode, select the Operating system as the copy object. In this case, the program will copy all the files necessary for recovery "on bare metal". The Active Directory database and the SYSVOL directory will also be saved. More can be read, for example, in this post.
Note: If Veeam Backup & Replication is already installed in your environment, and you want to use the existing Veeam repository to store backups of physical machines, you can reconfigure it directly from Veeam Backup & Replication. To do this, on the desired repository, right-click, hold down the CTRL key, and in the dialog that opens, allow access to the repository by selecting the desired option. If necessary, enable encryption there, selecting Encrypt backups stored in this repository.
- Run the task and make sure that it passed without errors:
That's all: backup is done, the domain controller is protected. Go to the repository and find the desired backup or backup chains.
If you have configured the Veeam Backup & Replication repository as a target backup storage, the newly created backups will be displayed in the Backups> Disk infrastructure panel, Endpoint Backups item.
Instead of conclusion
Of course, a successful backup is a good start, but not all. Obviously, a backup is worth nothing if you cannot restore data from it. Therefore, in the next article I will talk about various scenarios for restoring Active Directory, including restoring a domain controller, as well as restoring individual deleted and modified objects using Microsoft’s own tools and Veeam Explorer for Active Directory.
Source: https://habr.com/ru/post/309904/
All Articles