Nakivo 6.1 Backup and Restore Active Directory

0

In enterprise environments today, Microsoft’s Active Directory (AD or ADDS) is by far the most widely used authentication engine that provides identity management as well as access to resources and objects.  According to Microsoft’ own statistics, over 90% of businesses around the world and 95% of the Fortune 1000 use Active Directory.  With that being said, Microsoft’s family of products over the years have grown even more tightly integrated with Active Directory infrastructure.  So, the health of the enterprise AD structure can affect many if not all systems in the enterprise.  Maintaining Active Directory as well as thinking about disaster recovery can take center stage if corruption occurs or if AD objects are deleted either accidentally or intentionally.

Granted, Active Directory in its latest iterations has grown more robust in the ability to recover from failures, deletions and other events.  However, in thinking about disaster recovery and backups, active directory infrastructure often gets missed as being the critical part of business infrastructure that it is.

We have taken a look at a review of Nakivo’s Backup & Replication 6.1 product in a previous post.  It is a powerful backup and replication tool that offers a lot of value to enterprise environments.  In this post, we will delve deeper into NBR 6.1’s ability to backup and recover Active Directory objects and the process to do this with the NBR 6.1 appliance.  Nakivo Backup & Replication 6.1 enables browsing, searching, and recovering Microsoft Active Directory objects directly from your backups.  This is an agentless feature that is included with the application aware abilities of the software.  Let’s take a look at Nakivo 6.1 Backup and Restore Active Directory.

Nakivo 6.1 Backup and Restore Active Directory

The first thing that we need to do is start out with a backup of our domain controller with the application aware processing in place (which is turned on by default).

nbr_ad01 Nakivo 6.1 Backup and Restore Active Directory

 

As you can see below, in the Job options the App-aware mode is set to enabled.

nbr_ad02 Nakivo 6.1 Backup and Restore Active Directory

After we have taken a backup of the Domain Controller virtual machine, we can now access the application aware restore that can read Microsoft Active Directory objects.  Simply select Recover >> Granular Recovery >> Microsoft Active Directory objects to begin the Active Directory restore wizard.

nbr_ad03 Nakivo 6.1 Backup and Restore Active Directory

This opens the very intuitive restore wizard that allows us to start out by selecting the VM that we want to initiate the restore on.  Also, you will notice at the bottom of the wizard screen the Automatically locate application databases is selected.  This means Nakivo Backup & Replication will automatically search for supported application databases.

nbr_ad04 Nakivo 6.1 Backup and Restore Active Directory

As you proceed with the wizard, the recovery point is searched for supported application databases.

nbr_ad05 Nakivo 6.1 Backup and Restore Active Directory

In step 2, we will select the application items to recover which in the Active Directory restore, will be objects that we want to recover, including user objects.  Notice the Active Directory database, ntds.dit is found and is now browseable.

nbr_ad06 Nakivo 6.1 Backup and Restore Active Directory

As mentioned, we can browse the backup of the ntds.dit database now the same as we can in Active Directory Users and Computers.

nbr_ad07 Nakivo 6.1 Backup and Restore Active Directory

We can now select the container and objects we want to take a look at/restore.  Below we have three user accounts in a TestOU container.

nbr_ad08 Nakivo 6.1 Backup and Restore Active Directory

From here we can select which objects we want to work with in the restore process by simply placing a check by the objects themselves in the application items to recover screen.  Notice we have the Download button and Recovery Settings available.

nbr_ad09 Nakivo 6.1 Backup and Restore Active Directory

The recovery settings option opens the options for Recovery of user object which allows us to choose how the user object is restored – user will be disabled or user must change password at next logon.

nbr_ad10 Nakivo 6.1 Backup and Restore Active Directory

The Download option actually downloads the restorable ldif package that we can use to import the deleted object/user.  If change password at next logon is selected, Nakivo Backup & Replication will automatically generate a new password for each recovered user object.  The passwords.txt file will be added to the .zip archive along with the recovered objects and contains the new passwords.

nbr_ad10b Nakivo 6.1 Backup and Restore Active Directory

As you can see below, we only have a user2 and user3 account.  We no longer have a user1 account as it has been accidentally deleted.

nbr_ad11 Nakivo 6.1 Backup and Restore Active Directory

We simply copy over the zip recovery file which contains our restorable ldif file and run the ldifde command to import the object back into Active Directory.

To do this over a secure connection we run the command:  ldifde -i -t 636 -f filename.ldif -k -j logfolder, where “filename.ldif” is the path to the recovered ldif file, and “logfolder” is the path to the folder where import logs will be saved.  The secure connection requires a self signed certificate to enable secure connectivity to Active Directory.  You can also connect and import over the standard port without encryption but isn’t recommended.

In a lab environment, we have simply used an insecure connection to import.  The command is ldifde -I -f filename.ldif -k -j logfolder.

nbr_ad12 Nakivo 6.1 Backup and Restore Active Directory

When we run the command, the object along with attributes are imported back into Active Directory.

nbr_ad13 Nakivo 6.1 Backup and Restore Active Directory

Now as soon as we refresh the container containing our user accounts, we now see user1 back in place, albeit disabled due to the options we chose in the wizard.

nbr_ad14 Nakivo 6.1 Backup and Restore Active Directory

We can also now enable the object and make it active.

nbr_ad16 Nakivo 6.1 Backup and Restore Active Directory

Also, we have the log file that is created with the successful import of the object that is very useful in seeing exactly what happened with the object import.  The log is defined by the logfolder parameter that is passed in with the ldifde command.

Thoughts

With Microsoft’s Active Directory being at the heart of most organizations identity management and resource access, it is imperative for organizations to consider their strategies for backing up and restoring Active Directory objects.  Whether it is an accidental or intentional deletion, the ramifications for not being able to properly restore the objects back into service quickly can be costly to enterprises.

Nakivo Backup and Replication 6.1 provides an easy way to restore deleted objects back into service via the intuitive interface.  The agentless and application aware processing that is included with the way the Nakivo Backup and Replication appliance works out of the box, makes this functionality immediately accessible on backing up domain controllers for the first time.

Active directory is a critical component of keeping today’s infrastructure up and running, and enterprises must consider it in any disaster recovery plan.  Nakivo 6.1 Backup and Restore Active Directory makes this possible.