Answer

Options for backing up Active Directory

What is the best method for backing up Active Directory?

Requires Free Membership to View

Active Directory is essentially a database. If your company uses it, you know it's a critical one, so protecting it is very important. The good news is almost every business-class data protection product has some means to protect Active Directory. There really is no "best way," and most organizations are not going to buy a vendor's data protection product based on its ability to backup and recover Active Directory.

That said, it is important to understand how your data protection solution protects Active Directory. Its capabilities and, more importantly, its limitations will factor into the recovery strategy for this important asset.

Protection

Capturing a clean copy of the information within Active Directory is important from a protection perspective. That means that the backup product should leverage technology to put Active Directory into a static state prior to the data protection event occurring. Most applications will use Microsoft Volume Shadow Copy Service (VSS) to accomplish this. They will then copy the snapshot version of Active Directory into the backup device.

Applications will vary on how they store the copy of Active Directory. Some put it to disk and others to tape. Our view at Storage Switzerland LLC, an analyst firm focused on storage, virtualization and cloud, is that there is limited value in the long-term retention of an Active Directory instance. However, there is extreme short-term value, so storing it on a fast recovery device like disk is critical.

Recovery

Two situations dictate an Active Directory recovery strategy. The first is when there is some kind of corruption. In that scenario, you want to recover the entire store. The second situation is when an accidental deletion of a user account occurs. In that case, you would recover the individual object.

For the first situation, recovery of all of Active Directory, speed of recovery is typically the biggest concern. Some recovery products allow the placement of the Active Directory metadata to a secured backup server with each backup. Unlike a secondary domain controller, there is a gap in protection events. In the case of a corruption this provides time for the system administrator to realize that corruption has occurred and to initiate a recovery from the isolated copy.

The second situation, accidental deletion of a user account, is a bit trickier, especially if your data protection choice does not have the ability to protect Active Directory at an object level and allow for object-level restores. If your data protection solution provides object-level recovery, then this recovery is quite simple.

Unfortunately, object-level recovery of Active Directory is still relatively rare. A protection application that allows for an all or nothing recovery is going to require that the protected Active Directory copy be restored to an isolated domain controller and then the particular user account is extracted from that isolated domain controller. Typically this is done with PowerShell scripts.

While I started off this answer by saying there is not a "best" way, if recovery of specific objects is an ongoing problem for you, then a product that provides object-level recovery may be that "best way."

This was first published in April 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: