What is the best method for backing up Active Directory?
Active Directory is essentially a database. If your company uses it, you know it's a critical one, so protecting it is very important. The good news is almost every business-class data protection product has some means to protect Active Directory. There really is no "best way," and most organizations are not going to buy a vendor's data protection product based on its ability to backup and recover Active Directory.
That said, it is important to understand how your data protection solution protects Active Directory. Its capabilities and, more importantly, its limitations will factor into the recovery strategy for this important asset.
Capturing a clean copy of the information within Active Directory is important from a protection perspective. That means that the backup product should leverage technology to put Active Directory into a static state prior to the data protection event occurring. Most applications will use Microsoft Volume Shadow Copy Service (VSS) to accomplish this. They will then copy the snapshot version of Active Directory into the backup device.
Applications will vary on how they store the copy of Active Directory. Some put it to disk and others to tape. Our view at Storage Switzerland LLC, an analyst firm focused on storage, virtualization and cloud, is that there is limited value in the long-term retention of an Active Directory instance. However, there is extreme short-term value, so storing it on a fast recovery device like disk is critical.
Two situations dictate an Active Directory recovery strategy. The first is when there is some kind of corruption. In that scenario, you want to recover the entire store. The second situation is when an accidental deletion of a user account occurs. In that case, you would recover the individual object.
For the first situation, recovery of all of Active Directory, speed of recovery is typically the biggest concern. Some recovery products allow the placement of the Active Directory metadata to a secured backup server with each backup. Unlike a secondary domain controller, there is a gap in protection events. In the case of a corruption this provides time for the system administrator to realize that corruption has occurred and to initiate a recovery from the isolated copy.
The second situation, accidental deletion of a user account, is a bit trickier, especially if your data protection choice does not have the ability to protect Active Directory at an object level and allow for object-level restores. If your data protection solution provides object-level recovery, then this recovery is quite simple.
Unfortunately, object-level recovery of Active Directory is still relatively rare. A protection application that allows for an all or nothing recovery is going to require that the protected Active Directory copy be restored to an isolated domain controller and then the particular user account is extracted from that isolated domain controller. Typically this is done with PowerShell scripts.
While I started off this answer by saying there is not a "best" way, if recovery of specific objects is an ongoing problem for you, then a product that provides object-level recovery may be that "best way."
Dig Deeper on Backup and recovery software
Related Q&A from George Crump
Hyper-converged architectures make provisioning storage for VMs simpler by integrating it into configuration options.continue reading
George Crump of Storage Switzerland discusses whether specialized tools are necessary to back up Linux environments.continue reading
George Crump of Storage Switzerland discusses how data loss issues can be mitigated in write caching products.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.