Backing up Domain Controller — Best practices for AD protection

Source: Veeam

Microsoft Active Directory is a standard in corporate environments where authentication and central user-management are required. It’s almost impossible to imagine how system administrators would be able to do their jobs effectively if this technology didn’t exist. Not only is Active Directory a great power, but it’s also a great responsibility — and it requires spending a lot of time with it in order to maximize its capabilities.

The purpose of this series is intended to aid you with the successful backup and recovery of Active Directory Domain Services with Veeam, giving you all the keys to painless AD protection. Before reading this, you might want to take a look at the Active Directory design and implementation series we posted a while ago.

The actual series is going to discuss how Veeam can protect AD data — preserve Domain Controllers (DCs) or individual AD objects and recover either of them when required.

Today, I’m going to talk about the backup options Veeam offers for both physical and virtualized DCs, and backup considerations to keep in mind while you do that.

Backup DC considerations

As Active Directory Domain Services designed with a sort of redundancy, so the common backup rules and tactics can be mitigated and adapted to this level. It wouldn’t be right to apply the same backup policy you have for SQL or Exchange server here. Below are some considerations I believe might be helpful for creating your own AD policies:

  • Learn what domain controllers hold Flexible Single Master Operations (FSMO) roles in your environment. Hint: a simple command to check this via command line: >netdom query fsmo

When performing a full domain recovery, you might want to start from the DC with most FSMO roles, usually one with PDC emulator role. Otherwise, you will have to transfer roles manually after the restore with ntdsutil seize command. Be aware of that, when planning backup and prioritize DCs accordingly. Refer to Active Directory basics white paper to learn more about FSMO roles.

  • If you have multiple DCs for the site and you’re looking for individual objects protection, there’s no need to backup all DCs, as for item-level recovery, one copy of AD database (ntds.dit) would be sufficient
  • There are things that can always mitigate the risk of accidental/intentional deletion/change of AD objects. Consider administration operations’ delegation, setting up the restricted access to elevated groups and maintaining a “lag” site
  • It’s usually recommended to perform backup of one DC per time, not to interfere with DFS Replication — even if the modern backup applications (ex. Veeam Backup & Replication v7 with patch 3 and onwards) know how to deal with this
  • If you have a VMware virtual environment and it is not possible to connect to your DC over the network, as for example, it can be in DMZ. In this case Veeam will fail over to the VIX and should be able to process your DC.

Backup of a virtual Domain Controller

Microsoft’s Active Directory Services organize and keep information about individual objects within the forest and store it to a relational database (ntds.dit), hosted by a domain controller. Backup of a Domain Controller has previously been a tiresome process, involving backing up the server’s system state. It’s a well-known fact, that Active Directory services don’t consume a lot of resources of the system, so Domain Controllers are appearing to be the first servers that are always virtualized in the environment. If you happen to share the old belief of “physical DCs only”, please refer to this post.

Once virtualized, they are pretty easy to be managed by a domain/system administrator and can be easily backed up with Veeam Backup & Replication. As for details, you should have Veeam Backup & Replication installed and configured. The system requirements (of version 9.0) are as following:

Virtual platform: VMware vSphere 4.1 and newer; Microsoft Hyper-V 2008 R2 SP1 and newer

Veeam server: Windows Server 2008 SP2 and newer; Windows 7 SP1 and newer, 64-bit OS

Domain controller virtual machine (VM): Windows Server 2003 SP1 and newer, the minimum supported forest functional level of Windows 2003

Permissions: Administrative rights for target Active Directory. Account of an enterprise administrator or domain administrator.

This article doesn’t intend to cover a process of Veeam Backup & Replication installation and configuration, as it’s already been defined a few times. But, if you need help with that, please refer to the following video recorded by a Veeam system engineer.

I’m going to assume that you have everything running fine. Now you’d like to configure a backup task for your virtual DC. The process of configuration is rather simple (see figure 1 below):

1. Launch a Backup Job creation wizard

2. Add a desired DC to the task

3. Specify the retention policy for the backup chain

4. Make sure you enable application-aware image processing (AAIP) to ensure transactional consistency of backup files, including the Active Directory database, its supportive files and SYSVOL catalog

Note: AAIP is a Veeam technology that allows software to backup VMs in an application-aware way. That means a multi-step process of detecting applications of a guest OS system, quiescing them using corresponding VSS writers, applying specific application settings and truncating transaction logs if the backup task is successful. Please refer to the AAIP documentation for details.

Not enabling AAIP will not trigger Domain Controller guest OS to realize it was backed up and protected. So, a while later, you might notice an internal warning in server logs — event 2089, stating that there was no backup for “backup latency interval” days.

Edit Backup Job: Guest processing
Figure 1. Edit Backup Job: Guest processing 


5. Schedule a task or manually run it

6. Ensure the task successfully ran with no errors or warnings

Performing incremental backup of a DC
Figure 2. Performing incremental backup of a DC 


7. Find the newly created backup file at the backup repository — that’s it!

Additionally, you can store a backup in the cloud with Veeam Cloud Connect (VCC), copy it to another datastore or tape using Veeam Backup Copy jobs and much more. The most important thing is that backup is now safe and can be restored as soon as you need it.

How to back up a physical Domain Controller

Frankly speaking, I hope that you’ve been reconfiguring AD services in your company and that your DCs have been virtualized for a long time. If not, I hope that you’ve at least been updating your DCs, and that they’re running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer. (If managing older systems, skip below and go to the third article right away)

So, you have a physical DC — or a set of them — running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore — while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.

In order to back up your physical DC with this tool you should:

  • Download the utility from this page and put it to on your DC
  • Launch the installation wizard, accept the license agreement and install the program

Note: read these instructions for installing in Unattended Mode.

  • Configure a backup task by selecting appropriate backup mode. If you’re configuring file-level backup mode, select Operating system as an object to backup (see Figure 1). This ensures that the program captures all files required for bare-metal restore, Active Directory database and SYSVOL catalog will be also saved. Feel free to refer to a product user guide for details
Selecting objects to backup in Veeam Endpoint Backup
Figure 3. Selecting objects to backup in Veeam Endpoint Backup 


Note: If you have Veeam Backup & Replication instance in your infrastructure and you’d like to use a configured Veeam Backup Repository to accept endpoint backups, please reconfigure it right from Veeam Backup & Replication (right click on a desired repository, allow access to the repository and enable backups encryption if needed, see Figure 4).

VBR: Endpoint Backup permissions
Figure 4. Setting Endpoint Backup Permission for backup repository
  • Run the backup, and make sure it’s done with no errors
Veeam Endpoint Backup FREE: Backup job statistics
Figure 5. Veeam Endpoint Backup FREE: Backup job statistics
  • Voila! The backup is done, and your DC is protected from now on. Go to the backup destination and find the backup or the backup chain
Incremental backup chain
Figure 6. Incremental backup chain


Note. If you configured a Veeam Backup & Replication repository as a target for DC backup, feel free to find the newly created backup at the backups-disk, placed to Endpoint Backups node.

Veeam Backup & Replication: Backups-disk
Figure 7. Veeam Backup & Replication: Backups-disk 


Is DC backup that simple? Yes and no. Successful backup is great for starters, but that’s not all you need. Like we say at Veeam, “Backup is not worth a penny if you can’t restore from it.”

The following articles in this series are dedicated to different AD recovery scenarios, including the restore of a particular DC, as well as the recovery of individual deleted and changed objects using native Microsoft utilities and Veeam Explorer for Active Directory.

Backing up Domain Controller — Best practices for AD protection