Active Directory backup has been an important topic for a long time. Today however, with identity-based attacks on the rise and AI empowering a broader base of threat actors, several aspects of the process have taken on new urgency.
This blog post explains what you need to know to ensure you have the Active Directory backups you need to recover effectively from an incident, whether an adversary has modified a security group to elevate their permissions or an AI-powered ransomware infection has taken down your entire AD forest. In particular, I’ll cover what types of AD backups there are, what options you have for storing them, and how to ensure they are safe and effective to use for recovery.
What is an Active Directory backup?
An Active Directory backup is a record of Microsoft Active Directory (AD) data from a specific point in time. Its purpose is to enable the organization to restore critical data and operations in case of an adverse event.
Those events fall into two broad categories. One is the accidental or malicious modification of Active Directory objects, such as user accounts, security groups, and Group Policy objects (GPOs). The other is a full-on disaster that requires recovering your entire AD domain or forest. It’s important to understand that Active Directory disaster recovery involves far more than simply restoring the AD database — it requires getting your domain controllers (DCs) working again so they can resume providing essential services like authentication and authorization. Without at least one operational DC, your on-premises or hybrid Microsoft ecosystem cannot function.
Accordingly, at a minimum, an Active Directory backup should include the following:
- The Active Directory database file (ntds.dit)
- The full contents of SYSVOL — a directory with critical files that must be replicated throughout a domain, such as GPOs, startup and shutdown scripts, and logon and logoff scripts
- Any AD-integrated DNS zones and services
Why is Active Directory backup important?
Let’s review exactly why Active Directory backup is essential in each of the two core scenarios: disaster recovery and granular restore.
Disaster recovery
Remember the infamous NotPetya attack in 2017? Within hours, this malware brought operations to a standstill at companies around the world, including shipping giant Maersk. Although Maersk had backups of much of its data, nobody could locate a single Active Directory backup. As a result, they were unable to restore IT operations: No one could log on, let alone process orders, send email, or monitor shipments. In the end, Maersk was saved only by a stroke of luck: One DC at a remote office had been offline during the attack and therefore remained uninfected and undamaged. The company painstakingly shuttled that precious machine to its headquarters to serve as an Active Directory backup and enable the disaster recovery process.
The lesson of this story is simple: As long as your Active Directory is down, your business is dead in the water. It doesn’t matter that you can have good backups of your databases, mailboxes and file shares — without an Active Directory backup, you cannot restore AD to working order, so there will be no authentication and authorization services to enable anyone to access that content. The cost of this downtime can be staggering. Indeed, a study by Forrester Consulting pegs it at $730,000 per hour. So it’s not surprising that while Maersk estimated that the NotPetya attack cost the company over $250 million, staffers privately suggested the total was actually much higher.
Moreover, it doesn’t require a state-sponsored global attack to take down your Active Directory. Today, ransomware-as-a-service providers on the dark web enable cybercriminals with limited technical skills to cause an AD disaster. In fact, even a mistake or equipment failure can be enough. For example, schema upgrades are not reversible with Microsoft’s normal tools, so if an admin makes an unintentional error during the process, you have to do a full domain or forest restore. Similarly, if your domain has only one DC and the machine dies, you need an Active Directory backup to get the business back on its feet.
Granular (object-level) restores
Active Directory backups are also vital for a far more frequent need: object-level restores. Active Directory stores a wealth of critical information — from user accounts and their properties, to security groups and their associated permissions, to GPOs that prevent dangerous actions and control software updates. If any of that data is improperly changed or deleted, the organization can be at increased risk of business disruptions, security breaches and compliance violations.
Some improper changes are accidental, For instance, suppose the CEO has the same name as a salesperson who leaves the company, and an IT administrator inadvertently deletes the wrong account. Or perhaps a hasty edit grants an entire team access to a database with regulated data they shouldn’t access, or a runaway script improperly modifies thousands of user objects. Other changes are deliberate and malicious: By changing the membership of a security group, adversaries can escalate their privileges. By altering Group Policy, they can gain persistent access, evade detection, and more. And by performing a password spray attack, they can change the passwords for all accounts, effectively locking out all users, including admins.
To close security vulnerabilities and enable users to get back to work, IT teams need to quickly revert unwanted changes and deletions. In most cases, that requires an Active Directory backup. It’s a mistake to think that the AD Recycle Bin is sufficient. While it provides a handy way to restore certain types of recently deleted objects, the Recycle Bin was never designed to provide comprehensive granular recovery capabilities. In particular, it does not provide any logs or reports to help you determine which objects you need to restore, and it does not cover important objects like GPOs. Moreover, an object that is modified (rather than deleted) does not go into the Recycle Bin and therefore cannot be restored from it.
Additional benefits: Compliance and cyber insurance
Because Active Directory backup is critical to enabling disaster recovery and granular restores, it is a requirement of many industry standards and compliance mandates. Therefore, having a robust AD backup strategy is necessary for avoiding steep penalties from regulatory agencies.
In addition, to qualify for cyber insurance, organizations often need to prove that they have a solid backup strategy that is closely monitored and regularly tested.
Types of Active Directory backup
There are multiple types of AD backups to know about, including options supported by Microsoft tools and methods that require a third-party solution.
Native backup options
Native options include:
- System State backups include almost the entire operating system, not just the Active Directory pieces.
- Bare metal recovery (BMR) backups enable you to restore your Active Directory DCs to different hardware instances, for example, in case of physical corruption of DCs. In addition to the Active Directory components, they include data such as the key and root disks.
Both of these types of backup contain much more than just what’s needed to recover AD, which introduces important risks. In particular, malware has more places to hide, increasing the chances that it will be inadvertently restored during the recovery process.
Third-party backup options
Some third-party solutions provide additional AD backup options:
- Active Directory backups include only AD-specific components: the NTDS directory, SYSVOL, and aspects of the registry that have to do with AD. By excluding the many other components in a System State or BMR backup, AD backups dramatically reduce the risk of reinfection by malware after the recovery process.
- Entra ID backups are vital in hybrid environments because cloud-only objects and attributes are not stored in AD and therefore are not protected by on-prem AD backups. Examples include Microsoft 365 licenses, Azure B2B and B2C accounts, and Conditional Access policies. Without Entra ID backups, you cannot restore these items either granularly or as part of a disaster recovery. As a result, users may be unable to use the IT resources they need to do their jobs, hackers who compromise an account may be able to access sensitive resources because they are not challenged to complete multifactor authentication, and partner and customer accounts may be lost forever.
What about VM snapshots?
Note that I did not include VM snapshots, which are images of a virtual machine (VM) at a given point in time. That’s because VM snapshots are not adequate Active Directory backups. Using them for forest recovery will almost always result in data consistency problems that are difficult to resolve. Examples include lingering objects (objects that are present on one DC but that were fully deleted from other DCs) and Update Serial Number (USN) issues that will break replication. Plus, like BMR backups, snapshots can include malware, which will be restored onto the DC with everything else.
Best practices for Active Directory backup
Take regular backups.
Most organizations need to create an Active Directory backup daily to ensure that they can restore a deleted or modified AD object to a very recent state. Backups intended for use in disaster recovery might merit a less frequent schedule, such as weekly. Ideally, the AD backup and recovery solution should enable IT teams to choose which backup they want to use when they need to perform a granular restore or disaster recovery operation.
Back up at least one DC in each domain.
At a minimum, back up one domain controller in each domain. However, in large environments with multiple DCs, the best practice is to back up at least two DCs in each domain to ensure redundancy and fault tolerance.
Microsoft notes that if you have multiple DCs, be sure to back up the DCs that hold FSMO roles and use that backup for disaster recovery. It is also prudent to ensure your Active Directory backup and recovery solution is capable of seizing and transferring FSMO roles if needed.
Check backup integrity.
Every time a backup is completed, check whether it is accurate, complete and unaltered. Methods for performing this integrity check include checksums and hashing algorithms. Only backups that pass their integrity should be considered reliable for recovery operations.
The check should be performed immediately after the backup is created to ensure accurate results. Therefore, ideally, the process should be automated.
Test your backups regularly.
In addition to running integrity checks, you should regularly test your backups in an isolated environment. Perform a variety of object-level restores as well as disaster recovery. Thorough testing verifies that your backups are good to use, and it also helps ensure that your recovery procedures are solid and the personnel involved know to perform them. Having a well documented and detailed disaster recovery plan is essential.
Monitor your backup process.
If a backup does not complete properly or fails its integrity check, the IT team needs to know so they can investigate the issue and ensure that a successful backup is taken. Automated monitoring and alerting will make it easier to implement this important best practice.
Storing and protecting backups
Today, ransomware actors often attempt to compromise an organization’s backups along with business data. The goal is to prevent the victim organization from being able to recover from the attack on their own and therefore have no choice but to pay the ransom.
Accordingly, it’s more important than ever to maintain multiple copies of Active Directory backups and rigorously protect them. Microsoft recommends following the 3-2-1 rule: Keep 3 backups of your data on 2 different storage types, and keep at least 1 backup offsite. In addition, at least some of your backups should be air-gapped — that is, not reachable from your computer network. And if at all possible, apply an immutability policy to your backups.
The good news is that organizations now have more backup locations to choose from:
- On premises — Organizations need to store an Active Directory backup on premises for quick and easy access, especially for object-level restores. Specific storage options include network-attached storage, the machine where the backup solution runs, or a domain controller. This backup needs to be password-protected and encrypted so that even if an adversary gains access to it, they will be unable to misuse the data in it.
- On-premises secure storage server — The most secure on-prem option is a hardened server that can be accessed only by your recovery product or directly using a physical keyboard and mouse. Because no one is able to remote into it, the risk of authorized access by adversaries is practically nil.
- Off-site physical storage — Traditionally, many organizations put copies of their backups on tapes or hard disks and had a third-party vendor store it in a secure warehouse. This remains a viable option; however, having to physically retrieve media from another site can significantly delay recovery operations.
- Cloud storage of your choice — Today, organizations are increasingly choosing Microsoft Azure Blob Storage, Amazon Web Services (AWS), or other cloud storage options to store copies of their backups. These providers offer password protection as well as other security controls such as immutability policies. Immutability means that once data is written, it cannot be altered or deleted. That way, you can be confident your backup will be a reliable copy for your recovery needs.
- Cloud storage from your Active Directory backup solution vendor — Another option is to allow your backup solution vendor to manage copies of your backups in their cloud storage. While some organizations might worry that this strategy means relinquishing too much control, it can actually improve security. After all, when backups are stored in a location you control, you need to provide your vendor with write and read access in order to enable backups to be stored and retrieved, and you are responsible for the security controls involved. Moreover, adversaries know exactly where to look for your backups. In contrast, vendors that offer cloud storage for client backups put robust security controls in place, and adversaries who infiltrate your organization have no way of even knowing where to look for your backups.
Protecting backups from reinfection
Even before the recent explosion of AI, malware campaigns were on the rise. Ransomware-as-a service options on the dark web began to enable even less technically adept hackers to perform successful attacks. Today, the ready availability of powerful AI tools has put that power into even more hands.
However, there is a common misconception about malware attacks: that hackers slip the malicious software into a victim’s network and deploy it immediately. The reality is quite different. Many attacks today are deliberate and stealthy, with adversaries dwelling inside the network for weeks or even months, moving laterally and elevating their access rights so that when they finally run the malware, it has maximum impact. During that time, they create various scripts and backdoors, modify GPOs and security groups, and so on, all of which can sit unnoticed in your Active Directory.
Throughout this extended dwell time, your backup & recovery solution is dutifully creating AD backups. All of those backups will include that malware, which will be restored along with Active Directory in case of disaster recovery — unless steps are taken to prevent that reinfection.
Accordingly, organizations need to make sure that their Active Directory backup solution uses a solid antivirus tool to scan each backup for malware as part of the verification process. In addition, your recovery solution should enable you to exclude or quarantine any files that you think might be risky from the restoration process. In addition to avoiding malware reinfection, this flexibility helps in cases in which the disaster was caused by a zero-day vulnerability that has now been identified.
Choosing the right vendor
A final trend that organizations need to keep in mind today is the increase in supply chain attacks. In these attacks, adversaries infiltrate a company such as a software vendor or service provider and then use that compromise to gain access to all its customers or business partners. Recent high-profile supply chain attacks include the Solar Winds incident that affected thousands of government agencies and private companies, and the MOVEit breach by the Cl0p ransomware group.
To reduce risk, organizations need to carefully vet their entire supply chain. When it comes to Active Directory backup solution vendors, be sure to consider these two key factors:
- Security practices — Look for a vendor that has solid security practices, including software development controls, auditing, and regular penetration testing. Check for SOX, ISO, and related certifications, which demonstrate the organization has proven the quality of their security practices to an independent, expert third party. Favor vendors who utilize a Zero Trust model that includes an air-gapped build process in a physically separated and physically secured assembly environment.
- Staffing — It’s also essential to pick a vendor that has ample staff to help in case of an incident that impacts many companies, such as the NotPetya attack or the Solar Winds incident. You want to know that if your Active Directory is down, you will have the expert help you need to get your business back up and running quickly, even if your vendor is getting calls from a dozen other customers who also need assistance.
Conclusion
Having a solid Active Directory backup strategy remains essential for most organizations today, including those with a hybrid Microsoft IT ecosystem. AD backups are vital for the granular recovery of AD objects and attributes that IT teams need to perform frequently, and they provide a critical insurance policy for restoring operations quickly in case of a disaster.
