Backing up critical databases is a basic IT responsibility, and the database in your Active Directory (AD) is no exception. Minimizing the risk of catastrophic data loss means not only taking the time to regularly back up Active Directory, but also doing it carefully so as to ensure data consistency. There are several popular approaches to preventing data from being modified during the backup process.
While deciding how to back up Active Directory can be a technically complex question, it’s fairly straightforward once you’ve decided to go with an optimal software solution to perform the backup. There are some limited functions you can perform on your Windows computer, although for more robust security capabilities you need to invest in more specialized tools.
If you’ve got an older Microsoft operating system, the Active Directory Users and Computers control panel will be installed as a default on your computer. To open it, just look for dsa.mc. Otherwise, if you already have Active Directory installed, you should look under Administrator Tools in the Start menu—this menu will include all the available Active Directory tools.
If you can’t find the Active Directory, the device likely does not have this feature installed. For Windows 8 and 10, you’ll have to install the application yourself. In Windows 10, look under Apps to find Manage Optional Features, and Add Feature. In the menu, select RSAT: Active Directory Domain Services and Lightweight Directory Tools. Click Install—in a few minutes, it should appear as an option in the Windows Administrative Tool box in the Start menu.
For other Windows versions, go to Programs and Features in the Control Panel, and find Turn Windows Features On or Off. Go to the bottom of the panel that appears and expand the Remote Server Administration Tools section, then the Role Administration Tools option. Expand “AD DS and AD LDS Tools” and make sure that “AD DS Tools” is checked.
You can restore Active Directory from backup in its entirety using a system-wide backup, or recover just specific information with more pinpointed options. Restoring the full Active Directory typically should not be your first option, as this is fairly drastic—typically, you should make this move only if the entire AD database needs to be recovered. In addition, restoring will only work if you have valid system state backups already, which underlines the importance of a comprehensive backup plan. To this end, your best option is to pair the basic Windows backups with more robust commercially available backup tools.
If your system has failed and you need a wholesale restoration to access the AD information, you can perform the system-wide recovery. To restore the Active Directory with a system state restore, you’ll need to use a tool like SolarWinds Backup. Install the Recovery Console on a new device with the same configuration, and make sure there is an empty Active Directory by using DCPROMO. Ensure that you’re in Directory Services Restore Mode, as well. You can choose the desired recovery point from among your backups, then perform the restoration.
If you’ve accidentally deleted something in Active Directory, you’re far from the first one to make such a mistake—but this doesn’t mean you need to perform a full Active Directory restore. With a tool like SolarWinds Backup, administrators can restore AD objects in just a few clicks. With versioning, this tool keeps track of file and system changes, and you can set exactly how long data should be archived; this makes it’ easier to recover exactly what you need without a total system overhaul. SolarWinds Backup’s journal-based technology means that recovery, whether from yesterday’s backup or last year’s archive, is equally fast.
As a secondary option, you can use the AD Recycle Bin, which lets you search through and recover items for about 60-180 days after deletion. If you’re not already running Recycle Bin or aren’t sure if you’re running it, you can enable it from the Active Directory Administrative Center. Or you can just execute the following command:
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional
ForestOrConfigurationSet –Target ‘www.domain.com’
Traditional backup applications were typically hosted on a local application server in your data center. Today, there are many SaaS-based options that do not require an application server. Instead, you have two options that may prove a better use of your hardware budget.
The first is a local copy of your backups, which is essentially a mirrored sync of backups stored remotely. This can be stored on a USB, an existing network share, or other hardware you may already have. Some vendors require a proprietary appliance to do this job, but that option brings an unappealing upfront investment, as well as ongoing costs to maintain and upgrade it as your data grows. Flexibility in how you store this second copy is to your advantage.
The second option is to create a warm standby server, and sync your daily backups to it. This requires a bit of investment in a dedicated server, but provides the fastest possible recovery time if a critical server goes down, as it is ready to take over and keep business running at a moment’s notice. SolarWinds Backup lets you do either, or both.
Although a specialized vendor product like SolarWinds Backup is the preferred method for protecting your data and backing up Active Directory, users can layer security with a secondary tool like the Windows Server Backup application. It isn’t installed by default, but you can download it using Add Roles and Features in the Server Manager. Once it’s downloaded, you can perform a full server backup, choosing either Local Drives or Remote Shared Folder to set up your Backup location. This may require you to have your own additional resources, like cloud or hardware space, to create this backup.
Within the SolarWinds Backup management console, you can create a system state backup, which is essentially the whole configuration of the operating system along with critical components, including boot files, SYSVOL directory, certificates, the Registry, and of course, the Active Directory. These crucial operating system components are necessary if your system fails, and they allow you to recover to another device—either a physical server or a virtual machine. This drastic option is only necessary for a worst-case situation: if a device simply won’t start, all options have been explored, and a full recovery is truly necessary.
As you create a disaster recovery plan, you’ll want to make sure your recovery will be successful, if needed. To that end, be sure to regularly test your available backups to ensure you can rely on those copies if the worst-case scenario occurs. Other best practices for developing a disaster recovery plan include: