Active Directory from Microsoft is one of the most widely used user authentication and network permissions management tools in the world. It allows for federated login across an entire corporate network and management of user roles and permissions from a single point across multiple services. Even as companies move to the cloud and SaaS offerings, integration with the existing AD infrastructure is often considered a requirement for success of the project. With this said, the complexity of Active Directory as well as its ability to be maintained at nearly perfect uptime means that a viable Active Directory backup and disaster recovery solution is an absolute necessity.
Active Directory runs in a highly redundant architecture by design, and loss of the entire directory normally represents a major site fault. Recovery in this case is often complete rebuilds or bare metal recoveries from backup, and often a separate recovery step for databases and the AD components. Bacula Enterprise Edition’s VSS plugin can provide the DR level backup and recovery tools for these situations, and the Bare Metal Recovery plugin allows recovery of a running system onto which the AD services can be recovered. However, while disaster recovery backups are a great thing to have, they don’t help in the case of mistaken changes or corruptions that cause significant problems to a portion of the directory structure, but shouldn’t require a restore of the entire directory. For example, a careless (or disgruntled) admin could make changes to the permissions of an entire OU causing all manner of problems for the organization.
In this scenario, the solutions may be limited to a very time-consuming and error-prone manual rebuild of the structure, or a restore from backup. This is where the Bacula Enterprise Directory Server plugin can help. The Active Directory backup plugin communicates directly with your Active Directory or LDAP environment using the LDAP network protocol to correctly extract your directory structure and enable backup and recovery at the object level. Objects can even be restored to different locations in the directory tree.
This allows recovery of individual objects as well as the entire directory. Unlike the VSS plugin method, the Directory Server plugin assumes a functioning AD infrastructure has been reinstalled, onto which the backed up AD information will be restored, whereas the VSS plugin is more suited to disaster recovery scenarios. For more information about which plugin will suit your needs, please contact Bacula Systems.
Recovery of Active Directory objects with the Directory Server plugin are easy. Objects look just like files at restore time, and many of the same options work. This image shows an example restore window in bconsole:
As you can see, we are able to select a single object for recovery and at this point will have access to many restore-time options.
For example, objects can be restored to a different server than they originated from. They can be restored on top of existing objects, and you can choose whether to keep existing objects that are newer than the objects being restore, older, always replace them, or never replace existing objects. You can also have the directory server plugin check for object tombstones, especially useful when restoring objects that have been deleted incorrectly for one reason or another. It’s also possible of course to select the entire directory structure for recovery onto a functioning Active Directory or LDAP server.
The ability to recover Active Directory in a disaster is crucial to a good all around risk management strategy for any organization that relies on it heavily. Bacula Enterprise Edition provides tools to both recover from total loss, but also valuable tools to backup Active Directory and recover portions of your infrastructure when things go wrong.