In enterprise environments today, Microsoft’s Active Directory (AD or ADDS) is by far the most widely used authentication engine that provides identity management as well as access to resources and objects. According to Microsoft’ own statistics, over 90% of businesses around the world and 95% of the Fortune 1000 use Active Directory. With that being said, Microsoft’s family of products over the years have grown even more tightly integrated with Active Directory infrastructure. So, the health of the enterprise AD structure can affect many if not all systems in the enterprise. Maintaining Active Directory as well as thinking about disaster recovery can take center stage if corruption occurs or if AD objects are deleted either accidentally or intentionally.
Granted, Active Directory in its latest iterations has grown more robust in the ability to recover from failures, deletions and other events. However, in thinking about disaster recovery and backups, active directory infrastructure often gets missed as being the critical part of business infrastructure that it is.
We have taken a look at a review of Nakivo’s Backup & Replication 6.1 product in a previous post. It is a powerful backup and replication tool that offers a lot of value to enterprise environments. In this post, we will delve deeper into NBR 6.1’s ability to backup and recover Active Directory objects and the process to do this with the NBR 6.1 appliance. Nakivo Backup & Replication 6.1 enables browsing, searching, and recovering Microsoft Active Directory objects directly from your backups. This is an agentless feature that is included with the application aware abilities of the software. Let’s take a look at Nakivo 6.1 Backup and Restore Active Directory.
Nakivo 6.1 Backup and Restore Active Directory
The first thing that we need to do is start out with a backup of our domain controller with the application aware processing in place (which is turned on by default).
As you can see below, in the Job options the App-aware mode is set to enabled.
After we have taken a backup of the Domain Controller virtual machine, we can now access the application aware restore that can read Microsoft Active Directory objects. Simply select Recover >> Granular Recovery >> Microsoft Active Directory objects to begin the Active Directory restore wizard.
This opens the very intuitive restore wizard that allows us to start out by selecting the VM that we want to initiate the restore on. Also, you will notice at the bottom of the wizard screen the Automatically locate application databases is selected. This means Nakivo Backup & Replication will automatically search for supported application databases.
As you proceed with the wizard, the recovery point is searched for supported application databases.
In step 2, we will select the application items to recover which in the Active Directory restore, will be objects that we want to recover, including user objects. Notice the Active Directory database, ntds.dit is found and is now browseable.
As mentioned, we can browse the backup of the ntds.dit database now the same as we can in Active Directory Users and Computers.
We can now select the container and objects we want to take a look at/restore. Below we have three user accounts in a TestOU container.
From here we can select which objects we want to work with in the restore process by simply placing a check by the objects themselves in the application items to recover screen. Notice we have the Download button and Recovery Settings available.
The recovery settings option opens the options for Recovery of user object which allows us to choose how the user object is restored – user will be disabled or user must change password at next logon.
The Download option actually downloads the restorable ldif package that we can use to import the deleted object/user. If change password at next logon is selected, Nakivo Backup & Replication will automatically generate a new password for each recovered user object. The passwords.txt file will be added to the .zip archive along with the recovered objects and contains the new passwords.
As you can see below, we only have a user2 and user3 account. We no longer have a user1 account as it has been accidentally deleted.
We simply copy over the zip recovery file which contains our restorable ldif file and run the ldifde command to import the object back into Active Directory.
To do this over a secure connection we run the command: ldifde -i -t 636 -f filename.ldif -k -j logfolder, where “filename.ldif” is the path to the recovered ldif file, and “logfolder” is the path to the folder where import logs will be saved. The secure connection requires a self signed certificate to enable secure connectivity to Active Directory. You can also connect and import over the standard port without encryption but isn’t recommended.
In a lab environment, we have simply used an insecure connection to import. The command is ldifde -I -f filename.ldif -k -j logfolder.
When we run the command, the object along with attributes are imported back into Active Directory.
Now as soon as we refresh the container containing our user accounts, we now see user1 back in place, albeit disabled due to the options we chose in the wizard.
We can also now enable the object and make it active.
Also, we have the log file that is created with the successful import of the object that is very useful in seeing exactly what happened with the object import. The log is defined by the logfolder parameter that is passed in with the ldifde command.
With Microsoft’s Active Directory being at the heart of most organizations identity management and resource access, it is imperative for organizations to consider their strategies for backing up and restoring Active Directory objects. Whether it is an accidental or intentional deletion, the ramifications for not being able to properly restore the objects back into service quickly can be costly to enterprises.
Nakivo Backup and Replication 6.1 provides an easy way to restore deleted objects back into service via the intuitive interface. The agentless and application aware processing that is included with the way the Nakivo Backup and Replication appliance works out of the box, makes this functionality immediately accessible on backing up domain controllers for the first time.
Active directory is a critical component of keeping today’s infrastructure up and running, and enterprises must consider it in any disaster recovery plan. Nakivo 6.1 Backup and Restore Active Directory makes this possible.