Can You Recover Active Directory from a Disaster


We all know that disasters occur and that they range from a major disaster like when an entire data center is lost to the accidental deletion of a data file. In fact data loss is an all too common experience for administrators and end-users. Active Directory is at the heart of your IT infrastructure, securing users access to the network and computer resources. Without a successful recovery of your Active Directory system the business’s ability to use their IT infrastructure will cease and there is a high potential that your business will suffer significant losses.

Recovering from disasters requires a combination of technical knowhow, a good backup, and effective disaster recovery policies. In this article we are going to look the unique challenges of backing up and recovering your Active Directory system.

Four characteristics of a good backup

  1. The first consideration in any backup and recovery scenario is to determine if you have a good backup. A good backup has four key characteristics. The first characteristic is that it has to be recent. Generally organizations back up their Active Directory on a daily basis and some organizations backup more often. It is recommended that you to a schedule an automatic backup of Active Directory at least once a day.
  2. It needs to be accessible, in other works the backup needs to be available onsite. It is not uncommon for organizations to keep their system backups at a different location. This may be done is protect against a natural disaster where the entire building may become non-operational, or it may be done for security reasons. The problem with remote locations is that it can take several hours to retrieve the backup. If it takes you too long to retrieve the backup you may be tempted to use a less optimal way to recover your Active Directory, which may further compound the problem. It is highly advisable that if you need to move your backup to a remote site then you should keep the past week’s backup onsite.
  3. You need to be confident of the integrity of the backup. One of the most common issues is when the administrators go to perform a recovery and the backup is either not there or it has been corrupted. It is absolutely essential that you do not just trust that the backup tool is correctly creating a backup. You must test the backup procedures and the support tools to verify that you can indeed do a full recovery.
  4. It is imperative that you troubleshoot the failure and find the cause of the problem before you perform any recovery. Troubleshooting will enable you to determine whether or not the backup contains the same problem that caused the failure. If you determine that the latest backup has the same problem, then doing a restore from that backup is not going to be effective and you need another solution.

How to back up your Active Directory

Active Directory relies on several components that are shared on the Windows Server, for example SYSVOL. Failure of these shared components can therefore affect not only the Active Directory but other roles as well. This makes the backup and recovery of Active Directory significantly more complex. You can back up the Active Directory by either using the Windows server backup tool or a third party backup tool. The Windows server backup tool is not installed by default. To install the Windows server backup tool you should bring up the server manager, select features and then check the Windows server backup box as shown in Figure 1. The wizard will then install the backup features.

Figure 1 Installing the Windows server backup features.

The Windows server backup tool allows you to manually create a backup or to schedule an automatic backup. To prevent the theft of confidential data such as account names and passwords, you should restrict the ability to run backups to a few trusted administrators. In general, backups are scheduled to happen daily. Although administrators may need to run a manual backup when they are testing the backup procedures, or performing routine maintenance and upgrades, or prior to making any significant changes to the Active Directory system.

To create a backup, open the Windows server backup tool, then select the option backup once to create a manual backup or select the option backup schedule to run a backup on a regular time interval. This will start the backup wizard, which will step you through how to configure your backup.

One of the key configuration options is whether you wish to back up the full server, specific volumes, or the application databases. You could for example schedule a full server backup once a week and a backup of critical volumes to be done daily. If you select the full server option, the entire server will be backed up including all the server data, applications and the system state. A backup of the entire server includes the operating system, and as such it enables a bare metal recovery. If you select the option custom, you can select to back up critical volumes and / or system state data. Figure 2 shows the screen where you can select specific volumes to be backed up.

Figure 2 Selecting critical volumes for backup.

The Windows server backup captures critical volumes in their entirety. In other words you cannot use the volume backups to backup or recover individual objects, folders or file. It is important to note that the Windows server backup includes volumes that are shared between different roles include Active Directory. This backup tool also allows you to back up the volume that contains Active Directory database NTDS and the volume that contains the Active Directory log files. System state data includes critical files used by the operating system, the Active Directory certification services database, and the Active Directory domain services database.

Another key configuration option is deciding where you want to store the back up. You can back up to a dedicated hard disk, a volume on a disk, or shared storage. Figure 5 below shows that the backup is being scheduled to run on a shared folder. For cost reasons many organizations do not dedicate a disk for backups. If you do store your backups on a disk volume or shared storage, it is important that you test that the performance is acceptable in the event that a recovery is needed. It is also critically important to remember that the Active Directory backup contains confidential information. So you need to ensure that your backups are stored in a secure environment.

Figure 3 Backing up to a shared folder.

These are also third party backup tools, many of which have additional features that may be essential in your operational environment. For example, you may need an ability to monitor the success or failure of the backup process at a central management console, or the ability to back up and recover individual folders or files, or the ability to receive email and text alerts when the backup fails.

Recovering your Active Directory

Most organizations disaster recovery procedures include three key steps. The first is the damage assessment and notification to key administrators, followed by the cause analysis and identifications of the recovery procedures, and finally restoration. The root cause analysis is absolutely critical as it will enable you to decide on the right cause of action to recover and to prevent that problem reoccurring when you have recovered your Active Directory system. For example to recover from a hard disk failure you would probably want to restore the entire system using your full server backup.

The Windows Server Backup tool includes a recovery wizard that allows you to do a full server recover or the recovery of specific volumes or the system state. It is really important to troubleshoot and find the root cause of the problem, before you decide on any recovery action. Taking the wrong action can often compound the problem and make the recovery more complex and longer. The different disaster scenarios and recovery procedures should be documented in your disaster recovery plan. Key considerations in your plans should include how to recover if you have multiple domain controllers in your network, and when you should recover using the volume and system state backups rather than recovering using the full server backup.

If you have more than one domain controller in your network then the Active Database is replicated between the controllers. If you are recovering the Active Directory database you have a couple of alternative options. You can select to restore authoritative data or non-authoritative data. If you restore using the authoritative option, when the domain controller is back online it will update all the other domain controllers. If you restore using the non-authoritative data option, then when the controller comes back online its data will be updated by the other domain controllers.

One of the most common Active Directory problems is the accidental change to or deletion of an object. The problem is that if you replace the corrupted with a new object, the Security Identifier (SID) would be different, which means that you would have to recreate all the grants and denials to the computer resources. In this situation you could use your backup to recover, however there are a couple of other options, and those are using your log files or using the tombstone container to recover the data.

The Windows Server 2008 log files capture both the old and the new object values. For example, if you changed the user’s organization information, the first log event would contain the old information and the second log event would contain the new information. Therefore if you inadvertently changed the object data by searching the log files you will be able to retrieve the old values, and hence you would be able to change it back.

The tombstone container is more complicated and it should only be used by an experienced administrator. The tombstone container is a hidden container that captures all your deleted objects. It keeps the object for 180 days unless you have changed the default value. You can recover deleted objects from the tombstone container using the Windows ldp.exe or a third party tool. To fully restore an object from the tombstone, the administrator will need to know all of the object’s attributes, for example group memberships. If the administrator does not have these attributes, then you should consider restoring the object using your backup.

Backup and disaster procedures are essential

A good backup will enable you to do a full restoration from your backup files. Remember that there are many things that could go wrong. For example you could fail to keep the state of the system along with the data files, or the lifetime settings may have expired, or an object deletion is not recorded. It is therefore critical that you have good recovery procedures in addition to a good backup. Backup and disaster recovery processes coupled with the right tool will enable you protect your data and reduce the risk of potential data loss.