Skip to main content
Solved

Backup and Restore Domain Controller and Active Directore?

  • 19 September 2023
  • 4 replies
  • 1428 views

Forum|alt.badge.img+8

Hi Team,

In our environment we have multipal DC’s and we are using Commvault idata agent to back them up.

I need to understand the correct approach for restoring a DC with AD using our currnt backup methods in the event of AD being unavailable.

Do i need to introduce any new method to backup and restore DC with AD.

 

Regards,

Rahul Raina

Best answer by Damian Andre

For full AD coverage, you need to backup at least one domain controller with a file system backup, with system state enabled. This will allow you to do an authoritative AD restore (i.e overwrite the entire AD database and schema with the one from the backup). Or restore an individual DC. You can restore individual objects from this backup but it requires lot of manual steps and effort.

If you want to restore granular objects, like a deleted user or deleted group, then make sure you have a backup with the active directory agent. Note that the active directory agent is only for granular recoveries, you cannot restore an entire domain with it.

So use both agents for the best coverage and ease of restore.

If you are doing VSA backups of a domain controller you can enable appaware to backup AD using this method too: https://documentation.commvault.com/2023e/expert/14246_requirements_for_application_aware_backups.html

View original
Did this answer your question?

4 replies

Damian Andre
Vaulter
Forum|alt.badge.img+23
  • Vaulter
  • 1235 replies
  • Answer
  • September 21, 2023

For full AD coverage, you need to backup at least one domain controller with a file system backup, with system state enabled. This will allow you to do an authoritative AD restore (i.e overwrite the entire AD database and schema with the one from the backup). Or restore an individual DC. You can restore individual objects from this backup but it requires lot of manual steps and effort.

If you want to restore granular objects, like a deleted user or deleted group, then make sure you have a backup with the active directory agent. Note that the active directory agent is only for granular recoveries, you cannot restore an entire domain with it.

So use both agents for the best coverage and ease of restore.

If you are doing VSA backups of a domain controller you can enable appaware to backup AD using this method too: https://documentation.commvault.com/2023e/expert/14246_requirements_for_application_aware_backups.html


Forum|alt.badge.img+8
  • Author
  • Byte
  • 38 replies
  • October 5, 2023

@Damian Andre :- Please let me know what permission is required for Services account to backup AD.


Onno van den Berg
Commvault Certified Expert
Forum|alt.badge.img+19

@Rahul18081 That is well documented…..

To perform Active Directory agent installation, administrator privileges are required. The user must be a member of the Domain Administrator Group.

  • Backup and restore operations require the following permissions:

    • The backup user must be a part of the domain user. By default, the Normal domain user has Read permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.

    • User performing restore operations must at the minimum have Read, Change and Create Child Objects permissions. By default, the user in Domain Admins group, or Enterprise Admins group, or the Administrators group have all the required permissions. For more information about user permissions, see Active Directory User Permissions.

https://documentation.commvault.com/2023e/expert/14404_configuration_active_directory_idataagent.html


Forum|alt.badge.img+8
  • Author
  • Byte
  • 38 replies
  • October 5, 2023

@Damian Andre :- Andre clicking on the below highlited link doesn’t show any permission for service account required for AD backup and restore. It direct us to Preinstallation Checklist for the Active Directory Agent on Windows.

Please confirm if below is sufficient for AD Backup and Restore 

 

To perform Active Directory agent installation, administrator privileges are required. The user must be a member of the Domain Administrator Group.

The administrator should have Schema Admin permissions and Domain Administrator Group permissions.

  • Backup and restore operations require the following permissions:
    • The backup user must be a part of the domain user. By default, the Normal domain user has Read permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.
    • User performing restore operations must at the minimum have Read, Change and Create Child Objects permissions. By default, the user in Domain Admins group, or Enterprise Admins group, or the Administrators group have all the required permissions. For more information about user permissions

 

 


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings