Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Backup and Recovery Community Blog

Protecting Active Directory is more difficult than it first appears

Created: 01 May 2009
GFK's picture
+2 2 Votes
Login to vote

Active Directory (AD) is now the standard directory service in the Windows O/S. Exchange, SharePoint and SQL, all of whom are dependent on its on-going good health, and yet, we protect our databases, email systems, applications - all of which are reliant on AD in the Windows O/S, but don’t do anything specific to protect AD? Hmmm, not clever nor grown-up.

Now, backing up Active Directory is pretty simple. However, everyone appreciates that an efficient backup and quick recovery of AD to maintain business productivity is essential and any administrator who has ever had to attempt to recover Active Directory (AD) data is well versed on how frustrating and time consuming just the basic recovery process can be.

Should data in Active Directory corrupt - which can happen - it can have a ripple effect across the Windows environment including down to the application level of Microsoft Exchange, SQL, and SharePoint. Because AD is a replicated database any human error, hardware or software failures, incorrectly modified or deleted objects, faulty scripts accidentally overwrite key AD attributes can have a disastrous affect.

So, with no specific backup and recovery tool for managing AD:

  • The recovery process for AD is tedious and difficult
  • AD restores require command-line system tools like Microsoft NTDSUTIL
  • Requires a full restore of System State which increases downtime
  • Authoritative restores also require you to disconnect the Domain Controller from the network which prevents users from accessing network resources during the recovery.
  • The domain controller must be rebooted at least twice, creating additional downtime and risk.
  • After full recovery, Active Directory installations that have redundancy, becasue of replication, and must wait for large portions of the directory to replicate inbound and outbound, creating additional downtime.

So, all-in-all, not good. Most AD recovery jobs are for minor disasters, but these can quickly escalate into larger issues. In situations where an individual user account, object, or even an individual attribute is lost or corrupted, recovery of the entire Active Directory database is not an efficient use of time for the Administrator since recovery is only needed for individual objects.
Why not utilise the BE Agent for Microsoft AD?

Key Business Benefits

  • Online, granular recovery of individual Active Directory objects
  • Restore objects without rebooting AD Domain Controllers
  • Single Pass Backups for complete AD or object level recovery from single backup
  • Point and Click restores.
  • Centralised System State and Active Directory protection

Platform Support

  • Microsoft Windows 2008 Family
  • Microsoft Windows Server 2003 Family (including R2)
  • Microsoft SBS 2008 Family
  • Microsoft SBS 2003 Family (including R2)
  • Microsoft Windows 2000 Server Family (SP4)