Recover Group Policy Objects (GPOs) with Veeam Explorer for Active Directory
At the end of the series of articles on backup and recovery of Active Directory today, I would like to dwell on the functionality of Veeam Explorer for Microsoft Active Directory as part of Veeam Backup & Replication versions 9 and 9.5.
I note that the tools of the Veeam Explorers line are updated with each release of Veeam Backup & Replication, so I advise, first of all, always specify the version number you have in order to understand what feature set you will be dealing with. Secondly, I recommend to ensure that the most relevant supported version of Veeam products is always deployed in your infrastructure.
So, welcome under cat.
')
As many remember, Veeam Explorer for Microsoft Active Directory first saw the light in Veeam Backup & Replication version 8. Initially, it was designed to solve the most common tasks for restoring Active Directory - that is, it was able to perform objects, containers, user passwords, and exported data in LDIFDE format.
All this was certainly not bad, but, as always happens, administrators wanted more. We collected product reviews in online communities and forums, and users willingly offered new features and talked about less trivial tasks that they have to solve in everyday life. For example, it turned out that in addition to regularly adding users and computers to the domain and removing them from there, it is necessary to restore the Group Policy object (GPO) and / or DNS-integrated record from time to time. As a result, starting with Veeam Backup & Replication version 9, this functionality was included in our solutions.
Important! Before you begin, make sure that you are working with Veeam Backup & Replication version 9.0 or higher, and that you have a correctly created backup copy of the domain controller (how to create it for a virtualized domain controller using Veeam, it was described here ).
The recovery procedure is very simple:
Useful: You can enable the Compare selected object and select View attributes to see the differences between the GPO in the backup and in the production.
In addition, starting from version 9, Veeam Explorer for Microsoft Active Directory can recover:
By default, the display of these objects in the Veeam Explorer console is turned off. To enable it, click on Advanced Features on the Home tab:
Of course, we could not do without new features in version 9.5. Here we added support for Active Directory forests operating at the functional level of Windows Server 2016. In addition, we implemented the restoration of such useful objects as:
These features will certainly interest those whose domain controllers run on Windows Server 2016, as well as those who use the capabilities of Azure to create hybrid domains. The best part is that they work without additional tweaks and intricate settings, right out of the box.
In conclusion, as usual, I urge you to leave your wishes, comments and suggestions on the work of Veeam Explorer (and not only) in the comments and on the forum Veeam .
I note that the tools of the Veeam Explorers line are updated with each release of Veeam Backup & Replication, so I advise, first of all, always specify the version number you have in order to understand what feature set you will be dealing with. Secondly, I recommend to ensure that the most relevant supported version of Veeam products is always deployed in your infrastructure.
So, welcome under cat.
')
A bit of history
As many remember, Veeam Explorer for Microsoft Active Directory first saw the light in Veeam Backup & Replication version 8. Initially, it was designed to solve the most common tasks for restoring Active Directory - that is, it was able to perform objects, containers, user passwords, and exported data in LDIFDE format.
All this was certainly not bad, but, as always happens, administrators wanted more. We collected product reviews in online communities and forums, and users willingly offered new features and talked about less trivial tasks that they have to solve in everyday life. For example, it turned out that in addition to regularly adding users and computers to the domain and removing them from there, it is necessary to restore the Group Policy object (GPO) and / or DNS-integrated record from time to time. As a result, starting with Veeam Backup & Replication version 9, this functionality was included in our solutions.
Getting Started to Recovery
Important! Before you begin, make sure that you are working with Veeam Backup & Replication version 9.0 or higher, and that you have a correctly created backup copy of the domain controller (how to create it for a virtualized domain controller using Veeam, it was described here ).
The recovery procedure is very simple:
- In the Veeam Backup & Replication console, select the desired backup, and then from the Restore group, select Application Items - Microsoft Active Directory ;
- Specify the restore point, where we want to recover from;
- Veeam Backup & Replication mounts it to the backup server, retrieves the Active Directory database and the SYSVOL directory from the backup, and automatically opens them for viewing content in the Veeam Explorer for Microsoft Active Directory;
- If everything went as planned, then on the left, in the hierarchy tree under the Users and Computers container, you will see the Group Policy Objects container;
- Find the GPO object you need (you can run a search) and perform a restore or export by selecting the appropriate menu item.
Useful: You can enable the Compare selected object and select View attributes to see the differences between the GPO in the backup and in the production.
In addition, starting from version 9, Veeam Explorer for Microsoft Active Directory can recover:
- Active Directory-integrated DNS records (DNS records integrated into Active Directory and replicated as part of Domain Services replication);
- Objects in the Active Directory configuration section (this is an AD section containing information about all domains, sites and services within a forest; there is such a section for each forest, it is replicated to all domain controllers).
By default, the display of these objects in the Veeam Explorer console is turned off. To enable it, click on Advanced Features on the Home tab:
And what's new in version 9.5?
Of course, we could not do without new features in version 9.5. Here we added support for Active Directory forests operating at the functional level of Windows Server 2016. In addition, we implemented the restoration of such useful objects as:
- Forest objects running at the functional level of Windows Server 2016 and using Windows Server 2016 Directory Services for Active Directory (including password recovery for user and computer accounts);
- Expired links: they provide for exporting to an LDF file — something that the LDIFDE utility cannot do;
These features will certainly interest those whose domain controllers run on Windows Server 2016, as well as those who use the capabilities of Azure to create hybrid domains. The best part is that they work without additional tweaks and intricate settings, right out of the box.
In conclusion, as usual, I urge you to leave your wishes, comments and suggestions on the work of Veeam Explorer (and not only) in the comments and on the forum Veeam .
useful links
Source: https://habr.com/ru/post/326660/
All Articles