Microsoft Active Directory Backup and Recovery in Windows Server 2008 written by Shawn Barker Product Manager, Quest Software, Inc.
Copyright Quest Software, Inc. 2008. All rights reserved. This guide contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Quest Software, Inc. WARRANTY The information contained in this document is subject to change without notice. Quest Software makes no warranty of any kind with respect to this information. QUEST SOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. TRADEMARKS All trademarks and registered trademarks used in this guide are property of their respective owners. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 www.quest.com e-mail: info@quest.com Please refer to our Web site for regional and international office information. Updated April 2, 2008 WPW_RMAD_Win_040208_AG
CONTENTS INTRODUCTION...1 CHANGES TO ACTIVE DIRECTORY BACKUP AND RECOVERY IN WINDOWS SERVER 2008...2 BACKUP... 2 TROUBLESHOOTING... 3 RESTORE... 3 ENTERPRISE EXAMPLE: BACKING UP AND RECOVERING ACTIVE DIRECTORY ITEMS USING WINDOWS SERVER 2008 NATIVE TOOLS... 4 QUEST RECOVERY MANAGER FOR ACTIVE DIRECTORY...6 BACKUP... 6 TROUBLESHOOTING... 7 RESTORE... 8 COMPARISON: AD BACKUP AND RECOVERY IN THE ENTERPRISE...9 SUMMARY...11 MORE INFORMATION... 11 ABOUT THE AUTHOR...12 ABOUT QUEST SOFTWARE, INC....13 CONTACTING QUEST SOFTWARE... 13 CONTACTING QUEST SUPPORT... 13 NOTES...14 i
White Paper INTRODUCTION Microsoft released Windows Server 2008, its first major server platform since Windows Server 2003, in February, 2008. Anticipated by many enterprises, it includes new technical, security, management, and administrative features designed to increase server reliability and flexibility. Windows Server 2008 also includes a number of Active Directory improvements and extensions. The core Active Directory functionality in Windows Server 2003 is renamed Active Directory Domain Services (AD DS) in Windows Server 2008, distinguishing it from new components such as Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS), Active Directory Lightweight Directory Services (AD LDS), and Active Directory Rights Management Services (AD RMS). Read-Only Domain Controller (RODC) is a new AD DS security feature that is garnering considerable attention. An RODC allows you to deploy a read-only copy of the domain database in environments where physical or administrative security is weaker, such as in branch offices. RODCs contain all AD DS objects and attributes, except for account passwords. Since changes cannot originate at an RODC, a malicious or inexperienced user cannot create unwelcome changes that will replicate throughout the entire AD forest. AD DS is still vulnerable to human error, equipment failure, or mis-configured software, any of which can corrupt AD and Group Policy data. Corruptions and deletions can negatively impact application response times, user productivity, or business metrics, which is why it s critical to have a reliable recovery plan. Correcting and restoring AD objects and attributes using Windows Server 2003 native tools has typically been a time-consuming and error-prone process. A recent survey 1 of over 150 enterprises revealed that 60 percent of them had at least one AD accident in the past year. Depending on the nature of the problem, these accidents can take hours or even days to rectify. Windows Server 2008 introduces some changes to the backup and recovery of AD. While Microsoft has introduced a new backup mechanism and a tool for browsing backup data AD objects are not significantly easier or quicker to recover than they have been in the past. Since the new backup method is neither similar nor backwards-compatible with the tools used in Windows Server 2003, AD administrators with mixed Windows environments will be forced to run separate backup mechanisms, complicating both training and business processes. This white paper provides an overview of the new AD backup and recovery features included in Windows Server 2008, and examines the tools that will be available to help enterprises prevent downtime and the resulting impact on users during an AD recovery. It introduces Quest Recovery Manager for Active Directory, and how it works with the new features to simplify the complexity of Windows Server 2008. 1
Microsoft Active Directory Backup and Recovery in Windows Server 2008 CHANGES TO ACTIVE DIRECTORY BACKUP AND RECOVERY IN WINDOWS SERVER 2008 The new functionality and changes affecting the Active Directory backup and recovery process in Windows Server 2008 can be broken down into three subsections: backup, troubleshooting, and restore. Backup Windows Server Backup is the utility in Windows Server 2008 that replaces the NTBackup utility available in previous server releases. According to Microsoft literature, Windows Server Backup is a basic backup and recovery solution 2 whose simple design makes it especially well-suited for smaller organizations or individuals who are not IT professionals. 3 Reading between the lines, enterprise IT professionals may find it does not meet the specific needs of their AD environment. There are a number of new features introduced in Windows Server Backup. A Microsoft Management Console (MMC) Backup snap-in allows IT administrators or backup operators to manage both local and remote server backups through the same user interface on a single server. Windows Server Backup can now backup data from applications such as Microsoft SQL Server and Windows SharePoint Services using Volume Shadow Copy Service (VSS). Both full and incremental backups are now supported. However, there are some limitations in Windows Server Backup that can affect enterprise backup processes in general and Active Directory backups in particular. Windows Server Backup is not backwards-compatible, so you cannot recover backups created via NTBackup. Windows Server Backup is also less granular than previous backup utilities. Considering the multiple domain controllers (DCs) established in many larger organizations, this can complicate the Active Directory backup and recovery process. For example, the Windows Server Backup graphical interface does not allow you to create backups of just the System State, so every volume hosting AD components must be backed up in its entirety. Depending on where the AD database, logs, SYSVOL, Windows directory, and boot files are located, this may involve backing up multiple server partitions. While it is possible to create System State backups using the WBADMIN.EXE command line utility, these backups include system protected files and still result in large backups regardless of the size of the AD database. While there are performance improvements to the Windows Server 2008 backup utility, its large backups consume additional storage. This will result in slower restore times, as IT administrators must manually sift through large backups. 2
White Paper Troubleshooting Windows Server 2008 includes a new feature called AD DS Snapshot Viewer, designed to make it easier to view backed-up data. With Snapshot Viewer, you can browse VSS-created snapshots of the AD database to determine whether they contain the desired data before attempting a restore. You can browse these readonly snapshots on a domain controller without starting the domain controller in Directory Services Restore Mode (DSRM). In contrast, Windows Server 2003 had no way of viewing multiple AD backups taken at different times. The only way to determine which objects were missing was to perform a non-authoritative restore by restarting AD in DSRM. While Snapshot Viewer is a handy feature, it is quite cumbersome. It requires two different command-line utilities to mount and bring a snapshot online for browsing. Once it s online, you must manually sift through the data, comparing the snapshot(s) to the current database in an attempt to detect changes. Depending on the size and nature of the changes, this is very time-consuming. For a complete description of the process, please see the enterprise example on page 5. AD Explorer is a new, free downloadable utility from Sysinternals, a recent Microsoft acquisition, which addresses some of the challenges of Snapshot Viewer. AD Explorer is a Windows-based utility that allows direct viewing and editing of an AD database. This tool makes it easier to navigate through the database, or search for specific records or attributes. AD Explorer can also take snapshots of the database, and perform simple comparisons between versions to identify changes. However, the snapshots cannot be used as backups, nor does this utility allow you to restore affected objects. Restore Once you have determined which AD backup contains the data you want, you need to go through a separate process to restore the data. There are no improvements to the restore process in Windows Server 2008. Although the AD Directory Service can be restarted without rebooting the DC in Windows Server 2008, you must reboot a domain controller in DSRM to perform authoritative and non-authoritative restores as with previous versions. Alternatively, you must create scripts that call the Reanimate Tombstone API to undelete objects while keeping the systems online. A couple of free utilities, available since Windows Server 2003, leverage the Reanimate Tombstone API to undelete objects in both Windows Server 2003 and Windows Server 2008. Sysinternal s ADRestore and Quest s Object Restore for Active Directory leverage the Reanimate Tombstone API to restore mandatory attributes such as object name, Security Identifier (SID), Globally Unique Identifier (GUID), and parent container. Unfortunately, these utilities can restore only the information stored in the object tombstones, which does not include all attributes. After reanimating a deleted object, it is still necessary to painstakingly, manually repopulate all of the object's attributes, group memberships, and back-links, since Windows Server 2008 does not provide a way to populate a restored object s attributes from an AD backup. 3
Microsoft Active Directory Backup and Recovery in Windows Server 2008 Enterprise Example: Backing Up and Recovering Active Directory Items Using Windows Server 2008 Native Tools It is late 2008 at a mid-sized consumer products company that has a widely distributed market. Its AD manages user access to a wide range of applications, including Microsoft Exchange and SQL Server, SAP All-in-One, as well as the customer support wikis. The company has recently moved several machines over to Windows Server 2008, and is learning about the changes and new features. Then the company receives a notice about a reorganization, which includes the integration of a recent acquisition. After the Re-org The re-org finished last week, and the integration seemed to go smoothly. The IT department had to move hundreds of AD user accounts around, and then ensure the changes were fully propagated to their few dozen domain controllers. While making these changes, IT also updated some Group Policy Objects (GPOs) for consistency across the organization. So far things were running well. Monday had been busier than normal, but not out of line, considering how many changes had been made. The calls to the IT help desk started when the newly integrated, remote customer service center staff started its shift early Tuesday, after the center had been closed for a holiday. Some of the staff members reported that they couldn t log in. Since this particular customer service staff hadn t been on duty since the re-org, IT administrators immediately assumed there had been some error in the AD changes. The company has a scheduled task that creates a snapshot of AD on the Windows Server 2008 domain controllers every six hours. The first step was to find out when changes might have been made that affected this group. Consulting the operator change log kept for this purpose, IT quickly narrowed down the time period for the incident to Friday afternoon, between noon and 5 p.m. Using the new AD DS Snapshot Viewer in Windows Server 2008, a small team set out to examine the changes that were made to individuals, organizational units (OU), and GPOs in the two backups that covered that time period. Figure 1- Locating and mounting a snapshot with NTDSUTIL 4
White Paper Figure 2 - Exposing the mounted snapshot as an LDAP server so it can be browsed The issue was discovered quickly, but took a long time to fix. The users who could not log in were not present in AD. The team had to mount the two backups from Friday, and using the new AD DS Snapshot Viewer, search the backups for each name to confirm that they existed in this backup. It seemed that when processing the re-org changes, confusion between similar user account names had resulted in some deletions. Accounts that were meant to be moved had instead been deleted. After confirming the usernames (they didn t want to accidentally restore the wrong accounts), they began the recovery process. Figure 3 - AD DS Snapshot Viewer; browsing the exposed snapshot using ADSIEdit The first step was restarting the domain controller in recovery mode. While it was down, log-in requests would be handled by one of the other domain controllers. Then the team restored the backup file that contained the deleted accounts, taking care not to restart the controller and avoiding synchronization with the online versions. Restoring objects in Windows Server 2008 is done in the same way as Windows Server 2003. Using ntdsutil and authoritative restore command, the team marked each deleted account as authoritative in the database one by one restore object DistinguishedName. Simply typing in the multiple accounts took over an hour. When the team had gone through the list, it restarted the domain controller. Then it had to make all of the correct account moves and changes. Once the changes were complete, the team forced a replication to the partner controllers. It was a long day, and customer support was understaffed as a result of the affected accounts. But the situation could have been worse. Imagine if the affected accounts had belonged to some traveling senior executives, sales people at a critical meeting, or the distribution and logistics departments. 5
Microsoft Active Directory Backup and Recovery in Windows Server 2008 QUEST RECOVERY MANAGER FOR ACTIVE DIRECTORY Quest Recovery Manager for Active Directory allows you to efficiently back up, troubleshoot and restore all AD domain controllers regardless of which Windows versions are running from an intuitive interface. It s ideal for mid-market organizations and enterprises that rely on AD to manage user access to business applications. A single solution for multiple needs, Recovery Manager reduces the time and training costs required to manage several types of AD backups and restores. Its ability to back up and restore domain controllers remotely further reduces the time and costs associated with administering remote sites. In addition, its quick, intelligent wizards greatly reduce the time it takes to set up backups and troubleshoot errors. The wizards also eliminate the lengthy process of typing strings on command-line interfaces a common source of errors. Backup Recovery Manager features an easy-to-use Backup Wizard interface that supports all versions of Windows AD, from 2000 to 2008 4. Unlike Windows Server Backup, Recovery Manager supports the creation of backups for just the System State, eliminating the time and disk space needed to back up the entire server volume. You can store back ups in a centralized location, in distributed locations, or on the domain controllers themselves. Figure 4 - Quest Recovery Manager for Active Directory 6
White Paper Troubleshooting Knowing what has caused an outage is usually a tedious job. With Recovery Manger, you can easily select the backup you want to view from a list. Recovery Manager backups load quickly, since they are always online. The comparison reporting tool in Recovery Manager automatically compares the online AD state with the selected backup, highlighting only what has changed (see Figure 5). The comparison reporting tool not only shows which user accounts or groups have changed. It also provides details of the changes including specific attributes. Figure 5 - Recovery Manager s comparison reports highlight all changed and deleted objects to simplify troubleshooting 7
Microsoft Active Directory Backup and Recovery in Windows Server 2008 Restore Recovery Manager provides online, granular recovery of AD DS data. An online restore wizard guides you through each step of recovering System State and Group Policy data. You can restore an entire domain or OU, GPOs, selected user accounts, or individual attributes, each with a single mouse-click, without incurring any system downtime (see Figure 6). Performing an online restore minimizes any impact on users, since domain controllers do not have to be restarted. Figure 6 - Restoring objects quickly with Recovery Manager s online restore wizard 8
White Paper COMPARISON: AD BACKUP AND RECOVERY IN THE ENTERPRISE The following charts contrast the native backup, troubleshooting, and recovery methods available in Windows Server 2003, Windows Server 2008, and with Quest Recovery Manager for Active Directory. Windows Server 2003 Native Tools 9
Microsoft Active Directory Backup and Recovery in Windows Server 2008 Windows Server 2008 Native Tools Quest Recovery Manager for Active Directory 10
White Paper SUMMARY While there are many enhancements in Windows Server 2008, the native AD DS backup and recovery process has not significantly improved. New tools may make certain aspects of the process a little easier, but they do not significantly reduce downtime associated with restoring deleted or changed AD objects. Quest Recovery Manager for Active Directory is designed for mid-market and enterprise organizations that need a consistent, efficient method to quickly recover all AD objects resulting from configuration problems, malicious software or users, equipment problems, or other AD disasters. Recovery Manager is ideal for enterprises running multiple versions of Windows Server, or for distributed environments that would benefit from centrally administering AD backup and recovery. Thousands of enterprises rely on Quest Recovery Manager for Active Directory to protect them from unnecessary downtime associated with everyday AD disasters, such as software failures and human error. Microsoft recently named Quest Software its 2007 Global Independent Software Vendor (ISV) Partner of the Year for the second time in four years. Quest has supported Microsoft enterprise directory products since 1993 and currently employs the greatest number of AD developers outside of Microsoft. Nearly 7,000 companies rely on Quest to manage more than 45 million AD user accounts. More Information Recovery Manager for Active Directory Web site: http://www.quest.com/recovery-manager-for-active-directory/ Webcast: http://www.quest.com/events/listdetails.aspx?contentid=3682&site=&prod=126&t echnology=&prodfamily=&loc= Product overview: http://www.quest.com/recovery_manager_for_active_directory/demo/recovery- Manager-for-Active-Directory.swf 11
Microsoft Active Directory Backup and Recovery in Windows Server 2008 ABOUT THE AUTHOR Shawn Barker is a product manager for Recovery Manager for Active Directory and other Windows Management solutions at Quest Software. For nearly 10 years, Shawn has worked with Global 2000 and other large enterprises to understand their network and operational challenges. Armed with this experience, he has worked with Quest s R&D team to develop Active Directory management solutions. 12
White Paper ABOUT QUEST SOFTWARE, INC. Quest Software, Inc. delivers innovative products that help organizations get more performance and productivity from their applications, databases and Windows infrastructure. Through a deep expertise in IT operations and a continued focus on what works best, Quest helps more than 50,000 customers worldwide meet higher expectations for enterprise IT. Quest Software can be found in offices around the globe and at www.quest.com. Contacting Quest Software Phone: Email: Mail: Web site 949.754.8000 (United States and Canada) info@quest.com Quest Software, Inc. World Headquarters 5 Polaris Way Aliso Viejo, CA 92656 USA www.quest.com Please refer to our Web site for regional and international office information. Contacting Quest Support Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com From SupportLink, you can do the following: Quickly find thousands of solutions (Knowledgebase articles/documents). Download patches and upgrades. Seek help from a Support engineer. Log and update your case, and check its status. View the Global Support Guide for a detailed explanation of support programs, online services, contact information, and policy and procedures. The guide is available at: http://support.quest.com/pdfs/global Support Guide.pdf 13
Microsoft Active Directory Backup and Recovery in Windows Server 2008 NOTES 1 2007 Quest Software survey, referenced in Justifying an Active Directory Disaster Recovery Plan, http://www.quest.com/landing/?id=696&prod=126 2 Microsoft, April 2007, Changes in Functionality from Windows Server 2003 with SP1 to Windows Server Code Name Longhorn, page 136 3 Ibid. page 136. 4 Recovery Manager for Active Directory will support Windows Server 2008 by the time the new platform is released.