Active Directory Backup Methodologies for Your IT Disaster Recovery Plan

Choosing the right Active Directory backup methodology is crucial for a successful disaster recovery plan. There are three primary ways to back up Active Directory:

  • Active Directory backups — Active Directory backups are the cornerstone of recovery at every level of Active Directory recovery, from granular restore of a particular object or attribute that was improperly deleted or modified, to restoring a single domain controller (DC) that suffered corruption, to restoring all DCs in a forest in a true disaster recovery scenario.
  • Bare metal recovery (BMR) backups — Bare metal recovery enables you to restore your Active Directory forest to different hardware instances in case of physical corruption of all domain controllers, domain data or services due to ransomware or other disaster.
  • Azure AD backups  Accidents and malicious activity don’t happen just on-premises. Therefore, in hybrid AD environments, a complete IT disaster recovery plan must include a backup strategy for cloud-only objects and attributes, which are not adequately protected by native Microsoft tools nor covered by any on-premises AD backup solution.

This post explores each of these backup choices in detail and helps you determine which one is right for you in which circumstances. It also explains how Recovery Manager for Active Directory Disaster Recovery Edition gives you the stability, choices and flexibility you need for truly comprehensive IT disaster recovery planning.

Active Directory backups

AD backups are the foundation for Active Directory recovery, whether you need to restore a single object, attribute or DC, or you need full-on disaster recovery of an entire forest. It should be noted that AD backups are not the same as Operating System State backups, which back up the entire operating system, not just the Active Directory pieces and parts.

AD backups involve a variety of components from Active Directory domain controllers, including the NTDS directory, SYSVOL (which contains Group Policies and logon scripts) and aspects of the registry that have to do with Active Directory.

Reliable, automated AD backups

The Quest Recovery Manager for Active Directory portfolio simplifies and automates the process of setting up AD backups. From an easy-to-use wizard, you can specify which domain controllers or AD LDS (ADAM) hosts you want to back up, whether that’s a set of particular DCs or all computers in a specific Active Directory domain or organizational unit. You can also initiate backup creation immediately or configure a backup schedule. It is recommended that you back up your domain controllers on at least a daily basis. In any case, be sure back up all domain controllers each time you make important changes to your environment.

Because AD backups are smaller than BMR backups, they generate less network traffic and can be scanned more quickly for malware. In addition, they do not contain binaries (except for Sysvol files), so they are less likely to contain viruses. Note that Recovery Manager for Active Directory can scan AD backups for malware and viruses.

Flexible recovery options

How can you use AD backups? Recovery Manager gives you flexibility in your disaster recovery plan. You can choose:

  • Where to restore to — You can restore to a clean OS on any machine, whether it’s a physical machine, an on-prem virtual machine or a cloud-hosted VM.
  • Which DCs to restore first — You can restore all DCs in each domain at once, or perform a phased recovery in which you restore one DC in each domain to get a significant part of your business back on its feet quickly, and then promote the other DCs (see my next post on this topic).
  • How to install — You can install using replication (which can take hours or even days), or install from media (IFM) to speed the operation and reduce network traffic. Recovery Manager even offers bulk IFM, which eliminates the time-consuming and error-prone process of typing in command for each install operation.

Bare-metal recovery (BMR) backups

At many organizations, disaster recovery is a team effort. While AD administrators play a critical role, they must rely on other teams that are responsible for the OS, the applications on the server, the network (who give a new DNS address, network connectivity). At some organizations, however, the AD admin has complete authority to back up and restore on their own.

If you have the authority to back up and restore your entire AD server, BMR backups can be a great choice for certain types of disaster recovery. In case of physical corruption of all domain controllers, domain data or services due to ransomware or other causes, you can restore your Active Directory forest to different hardware instances using your BMR backup combined with the standard AD backup.

Automated BMR backup and recovery

Recovery Manager for Active Directory Disaster Recovery Edition automates BMR backup and recovery. The backup process uses Microsoft Windows Server Backup, which is included in your Window Server license. By default, Recovery Manager includes only critical volumes in BMR backups (such as the Active Directory database volume, the SYSVOL volume and the OS volume), but you can choose to also include other volumes, either on all DCs or only some DCs.

Since BMR backups include the OS, they are huge (often 20GB or larger) and cannot be compressed. The best practice is to create BMR backups only once a week to minimize storage requirements.

Using Recovery Manager, in case of critical failures (such as DC hardware failure or malware), you can use your most recent BMR backup and your latest AD backups to quickly restore your entire Active Directory forest to bare machines with no operating system installed.

Azure AD backups

As your organization embraces the cloud, it is critical to understand what is and isn’t covered by your on-prem disaster recovery solution when Active Directory is synced to Azure AD (AAD). Just as there are on-prem-only attributes, there are many cloud-only objects and attributes. For example, every AAD user has an Office 365 license type that determines which Office 365 features the user is entitled to use. If that user object is deleted, you could recover the on-premises AD user object and use Azure AD Connect to sync it back up to AAD — but the license type attribute would be gone, leaving the user unable to work in the cloud until you resolve the problem manually.

If you’re relying on native tools for backup and recovery, here are some of the gotchas to watch out for:

  • Some objects cannot be recovered, such as AAD groups, group membership and hard-deleted users.
  • Only recently deleted objects can be recovered (within last 30 days).
  • Some attributes cannot be recovered, such as MFA settings and conditional access policies.
  • Restore in bulk cannot be done without a PowerShell script.
  • There is no AAD change log or comparison report to help determine what needs to be restored.

Comprehensive Azure AD backups for hybrid restores

Recovery Manager for Active Directory integrates with On Demand Recovery to deliver a complete hybrid backup and recovery solution that gives you peace of mind:

  • Recovery Manager for Active Directory covers the on-premises objects, including anything you sync to the cloud with Azure AD Connect.
  • On Demand Recovery covers the rest, including cloud-only objects and attributes not synced by Azure AD Connect, including MFA settings, conditional access policies, memberships in cloud-only groups and more.

You get seamless integration with comprehensive recovery functionality. From a single dashboard, you can view both hybrid and cloud-only objects, run difference reports to determine exactly what changes or deletions occurred, restore any objects or attributes and more.

Back up Active Directory with a solution that gives you choices, flexibility and stability

As we have seen, Recovery Manager for Active Directory Disaster Recovery Edition gives you choices about which types of backups to make (AD backup and BMR), along with the flexibility you need to choose the best type of recovery for a given disaster scenario. In addition, Recovery Manager offers many other benefits, including the following:

Backup lifecycle management

Recovery Manager can create both AD backups and BMR backups for any Active Directory domain controller on the network on a regular basis without interrupting the operation of the DC. You can organize your DCs into collections and establish both backup frequency and the allowed hours during which the backup process may run. That way, you can configure a backup schedule for each collection based on the frequency of updates to the directory data store.

You can also configure a retention policy for each collection that specifies how many backups are retained. For example, depending on your organization’s requirements, you might retain the five or eight most recent backups. The oldest backups are removed automatically.

Backup storage locations

You can choose where you store your AD backups and BMR backups to improve both performance and security. In particular, you do not have to store all AD backups in a single repository; you can use several repositories, perhaps based on site topology, to make your deployment more WAN-friendly. You can air gap your backups and build a hardened storage server that is protected by two agents, making it a virtual Fort Knox.

Backup encryption

In addition to restricting access to backups, Recovery Manager can also encrypt them. Specifically, the password you specify is used to generate a passphrase with which the backup is encrypted. The password cannot be used directly to unlock the backup container vhd(x) file. Backups are encrypted with AES-256 encryption. Specifically, for AD backups, Recovery Manager uses Microsoft Enhanced RSA and AES Cryptographic Provider, while for BMR backups, it uses a virtual hard disk encrypted with BitLocker Drive Encryption as a container for the backup.

Malware detection

Recovery Manager for Active Directory Disaster Recovery Edition uses Windows Defender Antivirus to scan BMR backups for malware as a part of the verification process.

Flexible choices

AD recovery isn’t a one-size-fits-all proposition. You need a solution that respects your particular priorities, including which data and applications are most critical, as well as the unique conditions of a given disaster scenario, such as which data centers or regions are impacted and how much damage was done. Recovery Manager delivers that flexibility.

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles