commvault.com commvault.com
Solved

Backup and Restore Domain Controller and Active Directore?

  • 19 September 2023
  • 4 replies
  • 865 views
R
Rank
Badge +8

Hi Team,

In our environment we have multipal DC’s and we are using Commvault idata agent to back them up.

I need to understand the correct approach for restoring a DC with AD using our currnt backup methods in the event of AD being unavailable.

Do i need to introduce any new method to backup and restore DC with AD.

 

Regards,

Rahul Raina

icon

Best answer by Damian Andre 21 September 2023, 03:37

View original

4 replies

Damian Andre
Rank
Userlevel 7
Badge +23

For full AD coverage, you need to backup at least one domain controller with a file system backup, with system state enabled. This will allow you to do an authoritative AD restore (i.e overwrite the entire AD database and schema with the one from the backup). Or restore an individual DC. You can restore individual objects from this backup but it requires lot of manual steps and effort.

If you want to restore granular objects, like a deleted user or deleted group, then make sure you have a backup with the active directory agent. Note that the active directory agent is only for granular recoveries, you cannot restore an entire domain with it.

So use both agents for the best coverage and ease of restore.

If you are doing VSA backups of a domain controller you can enable appaware to backup AD using this method too: https://documentation.commvault.com/2023e/expert/14246_requirements_for_application_aware_backups.html

R
Rank
Badge +8

@Damian Andre :- Please let me know what permission is required for Services account to backup AD.

Onno van den Berg
Rank
Userlevel 7
Badge +19

@Rahul18081 That is well documented…..

To perform Active Directory agent installation, administrator privileges are required. The user must be a member of the Domain Administrator Group.

  • Backup and restore operations require the following permissions:

    • The backup user must be a part of the domain user. By default, the Normal domain user has Read permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.

    • User performing restore operations must at the minimum have Read, Change and Create Child Objects permissions. By default, the user in Domain Admins group, or Enterprise Admins group, or the Administrators group have all the required permissions. For more information about user permissions, see Active Directory User Permissions.

https://documentation.commvault.com/2023e/expert/14404_configuration_active_directory_idataagent.html

R
Rank
Badge +8

@Damian Andre :- Andre clicking on the below highlited link doesn’t show any permission for service account required for AD backup and restore. It direct us to Preinstallation Checklist for the Active Directory Agent on Windows.

Please confirm if below is sufficient for AD Backup and Restore 

 

To perform Active Directory agent installation, administrator privileges are required. The user must be a member of the Domain Administrator Group.

The administrator should have Schema Admin permissions and Domain Administrator Group permissions.

  • Backup and restore operations require the following permissions:
    • The backup user must be a part of the domain user. By default, the Normal domain user has Read permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.
    • User performing restore operations must at the minimum have Read, Change and Create Child Objects permissions. By default, the user in Domain Admins group, or Enterprise Admins group, or the Administrators group have all the required permissions. For more information about user permissions

 

 

Reply


Terms & ConditionsCookie settings