Active Directory Backup

Thanks for your feedback @Onno van den Berg .

If I only back up one active director, what are the potential consequences of doing so in a replication setup?

The FSMo roles can be seized, but what do you  mean? Another question: by "AD server cannot provide recovery capability," what do you mean?

What Onno is telling you by "AD server cannot provide recovery capability," is that the EDB file needed for DR recovery of the domain is part of the file system backup with system state. Not the AD agent backup, this is only for object restore in a working AD.

Regarding FSMO, an active directory server has certain roles which it is responsible for in the domain, if multiple domain controllers exist in the domain not all roles will be assigned to all servers. So best to make a file system and system state backup on a domain controller which has the FSMO roles assigned so the domain will run directly after the restore. If you pick an other domain controller without FSMO then you will need to assign/seize the roles to the restored domain controller post restore:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

Thanks for the additions @Jos Meijer! 

...AD backup is somehow easy. But AD recovery is very touchy, and that’s the problem.

If you need granular AD restore you can use AD Agent.

If your have a disaster and your AD is fully down, then to recover your AD you need to restore it. That’s where you need to recover from a Full VM backup or Filesystem backup if it’s physical.

I pray I would never have to recover an entire AD. And most of the times we only use Microsoft tools to recover objects of AD from Windows backups.

Yes, recovering an AD from a FS-based agent backup is cumbersome. A customer of us recently tried it and ran into a few issues and one if them is that there is no support for in from Command Center. Their workaround was to leverage NT backup to dump it to a file and than pick it up via Commvault. Sure, it requires a 2-step approach but it seemed more reliable to do it like this which is of course not what I would like to see…..

For granular AD recovery I would personally rely more on the AD recycle bin. In addition the AD agent does not cover everything, I have filled a CMR months/years ago to add for example custom attributes and GPOs as part of the AD agent. In addition I still find it odd that the installation/configuration and monitoring of the AD agent is not being stretched to the FS / System state backup. We have had customer who thought they were in good shape by only installing the AD agent and who couldn't recover their AD… 
 

I totally agree with you @Onno van den Berg !

Reliabilty is the key when you need to restore, and when it’s coming to AD, then it’s honestly not Commvault that would be the key to your recovery, but just part of the whole thing. Microsoft does not support any third party tool, so for sure Ntbackup/WindowsImageBackup is really the recovery point. Then as you explained, pick it from VSA or FS agent, but pick it.

And I have the same opinion for the recycle bin. My AD administrator looked at what Commvault could restore (just having a browse and restore session from an AD agent backup), and found it quite poor and not granular enough. So, I would +1 on your CMR !

Thanks for all your helpful feedback. I might even try to include the NT backup along with the Commvault backups, as you suggested ( will do some research on that). @Onno van den Berg do you have the CMR number so I can also send it to our commvault account managers to see if it can be added to the next release?