How to Backup Active Directory? AD backup tools from Bacula Enterprise Edition.

What is Active Directory?

Active Directory from Microsoft (MS AD) is one of the most widely used user authentication and network permissions management tools in the world. It allows for federated login across an entire corporate network and management of user roles and permissions from a single point across multiple services.

This service is extremely valuable for larger and more developed business structures, since system administrators would be more efficient managing computers that were added to the domain centrally. Services like Microsoft Exchange and Microsoft SQL Server also need Active Directory to operate properly. Any instance of Active Directory Domain Controller going offline is a significant problem since all users won’t be able to log in and the overall system would be unable to work properly in general.

Even as companies move to the cloud and SaaS offerings, integration with the existing AD infrastructure is often considered a requirement for success of the project. With this said, the complexity of Active Directory as well as its ability to be maintained at nearly perfect uptime means that a viable Active Directory backup and disaster recovery solution is an absolute necessity.

Worth noting: AD Disaster Recovery (DR) is something that should not be done – or confused with – directory server backups because those plans should include ways to get back to before the oldest tombstone. Similarly, single-item granularity directory server data restores must not be confused with DR. See the last paragraph of this blog for more details.

How Active Directory Works?

The core of Active Directory as a management system is a database that holds both transaction logs and individual objects. This database is split into multiple parts – and each part holds a different type of information, either domain names context (groups of users or individual ones) or configuration/schema partition (AD structure info and AD design info respectively). The structure of Active Directory database is hierarchical and its shape looks a lot like a tree. The main file that’s used for Active Directory database storage is Ntds.dit.
Active Directory works through several protocols to ensure the security of the network it’s operating with. Those protocols are the following:

• LDAP protocol (Lightweight Directory Access Protocol) is used for directory access (Active Directory and others) and directory authentication services through both username and password, it’s also open and cross-platform;
• Kerberos protocol is a cryptography-based protocol that’s used for single sign-on and secure authentication operations, it checks usernames and passwords before storing them within LDAP directory.

Active Directory is also deeply integrated with Windows-protected system files, DNS Server, COM+ Class Registration Database, Sysvol directory, cluster service information and several others. This amount of integrations also directly influences the overall Active Directory backup strategy.

Active Directory Backup Recommendations

Next we’ll talk about several general usage recommendations while backing up your Active Directory server.

Back up your Active Directory regularly

The recommended backup frequency for Active Directory is no more than 60 days. The reason for this is one of the specifics of Active Directory database management – AD tombstone objects. 

When the object in the Directory is deleted (meaning most of the object’s attributes, or all of them, are deleted) – it’s marked as a tombstone object and doesn’t get physically deleted until the expiration of the tombstone lifetime span, which is 60 days exactly. If you have several domain controllers operating at the same time and the Active Directory replication function is enabled – all those tombstone files would be copied at each and every one of your controllers and is kept there until its expiration time. There’s also the fact that if you’re restoring a domain controller backup that’s been created more than 60 days before today – you’re bound to get lots of inconsistencies due to one of the domain controllers having info about objects that don’t even exist anymore.

One more reason for the “60 days or less” mark is that any software or driver installed after the last backup would not work at all in the case of data restoration since there’ll be no information in the registry about said drivers or software. 

There are far more potential problems that can arise due to the data not being backed up frequently enough. The most “safe” recommendation is to do Active Directory backup on a daily basis.

Keep at least one of the domain controllers backed up

This advice is mostly for larger companies that have more than one domain controller in their infrastructure. You should back up at least one of your domain controllers if you have several of them to ensure at least partial data recovery in the case of some sort of hardware or software failure. Also if you have FSMO (Flexible Single Master Operation) roles installed on one of your controllers – you should prioritize backing it up first. That way, if you lose all of your controllers, you can recover one of them – the one with FSMO – that will be considered “primary”, and after that, if you deploy another controller – you’ll be able to, essentially, copy all of the changes from the “primary” domain controller to “secondary” one.

Prioritize software that provides data consistency

It’s quite a common knowledge that any backup should be done in a way to ensure that its’ consistency is preserved. The same goes for Active Directory backup. The best option is to backup the data while the server is turned off, or when VSS is used on a running server. On the contrary – trying to back up data from the server that’s working 24/7 is not the best idea. That’s why it’s highly recommended to use VSS-compatible services for any of your Active Directory backup needs. VSS creates a snapshot of the data, which essentially freezes the system and its’ info until the backup process is complete. That way you won’t lose or corrupt files that were rewriting themselves on the server at the time the backup was creating itself.

Your disaster recovery plan must include AD backup

Having a disaster recovery plan is a must in general, and the more scenarios you can predict and prevent or prepare for – the better you’ll be in the case of disaster of some kind. AD backup in this case is important because essentially you can’t use any AD-related services if you restore them before you restore your AD backup. You can backup your domain controller to several different storage locations:cloud, local or remote site. Having more than one copy of your Active Directory is highly recommended, as well.

Look for granular recovery option, if possible

While the process of recovering and rewriting all of your Active Directory data is a good idea most of the time – you may want to look for services that provide granular recovery option as well. That way if you want to recover only one or a few files from your backup – you’ll be able to do so quite easily. This also reduces the overall data restore time, especially when your Active Directory is bigger than the average one.

Native Active Directory Backup Tools and Services

There are several native backup tools for Active Directory created by Microsoft for backing up Windows Servers, including the ones that are running Active Directory domain controllers. 

Windows Server Backup

Windows Server Backup is a program that replaced NTBackup in Windows Server 2008 and newer versions. WSB comes with a new interface and the ability to create incremental backups with the usage of VSS (Microsoft Volume Shadow Copy Service). The data that’s been backed up is saved in VHD format. After backing it up you will be able to mount such VHD disks to a machine – both virtual and physical – to access the data you’ve backed up. The difference between this VHD and the one that’s created using MVMC (Microsoft Virtual Machine Converter) is that this VHD isn’t bootable. The command for backing up the whole volume or the system state is the following: wbadmin start systemstatebackup .

The main advantages of this backup method for Active Directory backup are the following: it’s affordable, it can work with VSS, and you can either back up the entire system or back up nothing but Active Directory files. The main disadvantage is that working with WSB requires a lot of prior knowledge and understanding to reach the program’s full potential in regards to both backup and recovery process.

System Center Data Protection Manager

The other backup service created by Microsoft is System Center Data Protection Management (SC DPM). Creating both the usual data backups and the Active Directory backups is within the program’s capabilities. SC DPM is an enterprise-level backup/recovery service that can be used for Windows Server data protection (which includes Active Directory backups). The difference between WSB and SC DPM is that the former is free, while the latter is a paid software that’s installed separately and not included in the basic Microsoft system package. It’s also somewhat harder to set up compared to WSB. But it’s still highly recommended to use it to ensure your device’s complete protection. The list of SC DPM features includes VSS support, incremental backup support, Microsoft Azure cloud backup support and the inability to recover singular files from backed up Active Directory. The most practical usage of SC DPM is to protect a number of Microsoft Exchange/Microsoft SQL servers and other Windows-based devices.

Third-party Active Directory Backup Methods

Even though both WSB and SC DPM are the native solutions for backing up Active Directory – there are a lot of other possible solutions for this. In fact, almost every enterprise-level backup service should be capable of backing up Active Directory with little to no problems. The difference between all those services in that case is the way some of them provide more capabilities while dealing with both backing up and restoring the Active Directory. 

The main point of backups in general works with Active Directory as well – the data backup has to be done in a specific way to ensure that the data is consistent enough. Most of the third-party backup services uses VSS to create a snapshot of the copied data to prevent said data from being in any way modified in the middle of the backup process. There’s also the possibility of another issue happening: if the backup of Active Directory is written to a physical disc – the snapshot that was created will be used for the write operation, but if it’s based on the live Active Directory database copy – inconsistencies are bound to arise one way or another. 

Each backup provider has their own specific way of dealing with said problem, some more effective than others. 

Plus, some of the third-party backup services can provide very specific object restoration for Active Directory backups. One of the examples of that is the ability to restore individual user accounts rather than the whole database. But not all of those products can do that, most of them can only provide full backup-and-restore service for Active Directory backups.

Active Directory Backup with Bacula Enterprise Edition

Active Directory runs in a highly redundant architecture by design, and loss of the entire directory normally represents a major site fault. Recovery in this case is often complete rebuilds or bare metal recoveries from backup, and often a separate recovery step for databases and the AD components. Bacula Enterprise Edition’s VSS plugin can provide the DR level backup and recovery tools for these situations, and the Bare Metal Recovery plugin allows recovery of a running system onto which the AD services can be recovered. However, while disaster recovery backups are a great thing to have, they don’t help in the case of mistaken changes or corruptions that cause significant problems to a portion of the directory structure, but shouldn’t require a restore of the entire directory. For example, a careless (or disgruntled) admin could make changes to the permissions of an entire OU causing all manner of problems for the organization.

In this scenario, the solutions may be limited to a very time-consuming and error-prone manual rebuild of the structure, or a restore from backup. This is where the Bacula Enterprise Directory Server plugin can help. The Active Directory backup plugin communicates directly with your Active Directory or LDAP environment using the LDAP network protocol to correctly extract your directory structure and enable backup and recovery at the object level. Objects can even be restored to different locations in the directory tree.

This allows recovery of individual objects as well as the entire directory. Unlike the VSS plugin method, the Directory Server plugin assumes a functioning AD infrastructure has been reinstalled, onto which the backed up AD information will be restored, whereas the VSS plugin is more suited to disaster recovery scenarios. For more information about which plugin will suit your needs, please contact Bacula Systems.

Recovery of Active Directory objects with the Directory Server plugin are easy. Objects look just like files at restore time, and many of the same options work. This image shows an example restore window in bconsole:

As you can see, we are able to select a single object for recovery and at this point will have access to many restore-time options.

For example, objects can be restored to a different server than they originated from. They can be restored on top of existing objects, and you can choose whether to keep existing objects that are newer than the objects being restore, older, always replace them, or never replace existing objects. You can also have the directory server plugin check for object tombstones, especially useful when restoring objects that have been deleted incorrectly for one reason or another. It’s also possible of course to select the entire directory structure for recovery onto a functioning Active Directory or LDAP server.

Conclusion

The Active Directory is basically at the heart of the business, hence the array of tools and services to prevent any kind of disruption or a memory loss that can at the very least cause downtime for both users and services provided by your business. It’s also important to properly research backup methods and services before applying one of them to your business. Selecting the backup solution that works best for you is the key to preventing most, if not all, of the problems with Active Directory and its’ data.

The ability to recover Active Directory in a disaster is crucial to a good all around risk management strategy for any organization that relies on it heavily. Bacula Enterprise Edition provides tools to both recover from total loss, but also valuable tools to backup Active Directory and recover portions of your infrastructure when things go wrong.