commvault.com commvault.com
Solved

Active Directory Backup

  • 10 May 2022
  • 8 replies
  • 1790 views
A
Rank
Badge +2

Hello,

 

We have two domain controllers in our infrastructure, which are located in two separate datacenters linked by dark fibre, and Active Directory replication is enabled between them.
Currently, commvault only protects one domain controller that is backed up via iDA and does not protect the second dc.
I also discovered that commvault has no access to the second site, implying that the firewalls are preventing access.

 

My question is, what is the best way to backup Active Directory with replication enabled so that you can recover completely if one of your domain controllers fails?
What ports are suggested for communication between Commvault and the two domain controllers(is just 8403 enough) ?
Is system state backup required in this case?


Could you please provide your valuable input on this?
I'd appreciate it if you could be more specific with the details as I am newbie to AD .

 

Thanks in advance...

 

Regards,

Aarav

 

icon

Best answer by Onno van den Berg 10 May 2022, 17:22

View original
If you have a question or comment, please create a topic

8 replies

Onno van den Berg
Rank
Userlevel 7
Badge +19

Yes, having port 8403 being opened for Commvault is enough to start making backups. I would make sure this is arranged so you have possibilities once the current site goes down. Now there is one thing to keep in mind, even though you would expect the AD agent to deliver recovery capabilities when you AD server is gone, this actually is not the case. You indeed have to make sure that you create system state backups of your AD controller(s) to make sure you can perform a full system/AD recovery. I filled a CMR for it a few years ago to make this more logical but I don't think this has been picked up in the meantime already.

One thing to take into account are the FSMO roles. Yes, they can be seized but it is handy to record which server runs which role. 

A
Rank
Badge +2

Thanks for your feedback @Onno van den Berg .

If I only back up one active director, what are the potential consequences of doing so in a replication setup?

The FSMo roles can be seized, but what do you  mean? Another question: by "AD server cannot provide recovery capability," what do you mean?

Jos Meijer
Rank
Userlevel 7
Badge +17

What Onno is telling you by "AD server cannot provide recovery capability," is that the EDB file needed for DR recovery of the domain is part of the file system backup with system state. Not the AD agent backup, this is only for object restore in a working AD.

Regarding FSMO, an active directory server has certain roles which it is responsible for in the domain, if multiple domain controllers exist in the domain not all roles will be assigned to all servers. So best to make a file system and system state backup on a domain controller which has the FSMO roles assigned so the domain will run directly after the restore. If you pick an other domain controller without FSMO then you will need to assign/seize the roles to the restored domain controller post restore:

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

Onno van den Berg
Rank
Userlevel 7
Badge +19

Thanks for the additions @Jos Meijer

L
Rank
Userlevel 6
Badge +15

...AD backup is somehow easy. But AD recovery is very touchy, and that’s the problem.

If you need granular AD restore you can use AD Agent.

If your have a disaster and your AD is fully down, then to recover your AD you need to restore it. That’s where you need to recover from a Full VM backup or Filesystem backup if it’s physical.

I pray I would never have to recover an entire AD. And most of the times we only use Microsoft tools to recover objects of AD from Windows backups.

Onno van den Berg
Rank
Userlevel 7
Badge +19

Yes, recovering an AD from a FS-based agent backup is cumbersome. A customer of us recently tried it and ran into a few issues and one if them is that there is no support for in from Command Center. Their workaround was to leverage NT backup to dump it to a file and than pick it up via Commvault. Sure, it requires a 2-step approach but it seemed more reliable to do it like this which is of course not what I would like to see…..

For granular AD recovery I would personally rely more on the AD recycle bin. In addition the AD agent does not cover everything, I have filled a CMR months/years ago to add for example custom attributes and GPOs as part of the AD agent. In addition I still find it odd that the installation/configuration and monitoring of the AD agent is not being stretched to the FS / System state backup. We have had customer who thought they were in good shape by only installing the AD agent and who couldn't recover their AD… 
 

L
Rank
Userlevel 6
Badge +15

I totally agree with you @Onno van den Berg !

Reliabilty is the key when you need to restore, and when it’s coming to AD, then it’s honestly not Commvault that would be the key to your recovery, but just part of the whole thing. Microsoft does not support any third party tool, so for sure Ntbackup/WindowsImageBackup is really the recovery point. Then as you explained, pick it from VSA or FS agent, but pick it.

And I have the same opinion for the recycle bin. My AD administrator looked at what Commvault could restore (just having a browse and restore session from an AD agent backup), and found it quite poor and not granular enough. So, I would +1 on your CMR !

A
Rank
Badge +2

Thanks for all your helpful feedback. I might even try to include the NT backup along with the Commvault backups, as you suggested ( will do some research on that). @Onno van den Berg do you have the CMR number so I can also send it to our commvault account managers to see if it can be added to the next release?

Terms & ConditionsCookie settings