Blog

How To Backup Active Directory: The Complete Guide

Active Directory is a very important part of any IT infrastructure. It stores information about how computers are managed in your network, how they connect to each other, and how they authenticate users. A good backup strategy for Active Directory will protect this data against accidental deletion or corruption. This blog post provides you with background on Active Directory backup best practices, the different types of backups that can be made, and how it can be done using tools like Windows Server Backup.

Do I Need to Back Up Active Directory

There’s a school of thought among administrators that if you have multiple domain controllers dispersed across diverse geographic areas, you don’t need to backup your AD at all. This isn’t always the case. In fact, if you only have one domain controller and it’s located in a single physical location, then your AD is more vulnerable to a disaster than if you had multiple domain controllers.

A good backup strategy for Active Directory will protect your data against accidental deletion or corruption. It’s important to remember that your AD database contains the entire directory infrastructure of your company, including all users, groups, organizational units (OUs), and computer objects. If this data is lost or corrupted, it can be difficult – or even impossible – to recover.

What you should know

You need to know some things first before attempting an Active Directory backup and restoration. 

  • The first thing you need to know is how your Active Directory is structured. You need to understand the layout of your domain, including which domains and forests it’s a part of, and how the objects are organized within those domains. 
  • The second thing you need to know is what data needs to be backed up. Not everything in Active Directory needs to be backed up – only the data that you will require if you have to rebuild your directory from scratch. This includes user accounts, groups, OUs, computer objects, and any other data that is specific to your organization. 

Methods for backing up Active Directory

There are several methods for backing up Active Directory: 

  1. Using Windows Server Backup (WSB) 
  2. Using a third party tool 
  3. Creating and manually swapping offline media (backup tapes or disks) 

WSB is included with Windows Server 2008 R/O, Windows Server 2012, and newer. It’s the most widely used method for backing up Active Directory because it comes preinstalled on all of those operating systems. WSB has several backup options that you can choose from: Full server (all volumes), System state only, Critical volume(s). However there are some limitations to how you use this software – read more about them here. 

Third party tools like Altaro Backup make things easier by allowing users to back up multiple servers simultaneously and store backups in one central location (the cloud or your own network share).

Another solution is to use a freeware software called NTOP. It’s written in C++ and allows you to view real-time performance data of your domain controllers, backup the Active Directory database (ntds.dit), list all login sessions, etc. 

Backing Up an Active Directory with Windows Server Backup

Windows Server 2012 includes the Windows Server Backup tool, which provides a simple way to back up an Active Directory. To use Windows Server Backup, you’ll need to install the role service on a server running Windows Server 2012.

The first step is to create a backup job. In the Windows Server Backup console, right-click on the name of your server and select “Backup”. The next screen will ask how you want to back up your data. Select “Active Directory”, then click “Next”.

On the next screen, you’ll be asked where to store your backups. You can choose any location that meets your needs, but it’s important to remember that the backups must be accessible from all domain controllers in your forest. For this reason, we recommend storing them on a network share or an external hard drive.

Click “Next” and then “Start Backup”. The backup process will begin. You’ll see a progress bar that indicates how much of the data has been backed up. When the backup is complete, you’ll receive a notification telling you so.

User Guide Manent

Installation Manent.

Requirements (Windows)

None. Manent for windows now comes with an installer and uses a standalone compiled executable.

Requirements

  1. Python 2.5.x (and above)
  2. pycrypto
  3. paramiko
  4. (for serving FTP): pyftpdlib

Choosing an encryption key

Use a long, nice encryption key with lots of entropy. I generated my key by the following python code:

import base64, os
print base64.b64encode(os.urandom(30))

Keep the key in the safe place. If your data is completely lost, the key is the critical piece of data necessary to access it again.

The encryption algorithm works as follows. For every container, a 32-byte random R is generated by os.urandom(). This value is concatenated with your key and a SHA-512 is computed out of it. The result of SHA512 is used to seed an RC4 generator, which is in turn XOR’ed to the data. The value of R is stored in the container, and the process is repeated to decrypt the container contents. The container is checksummed by MD5, which is stored under encryption.

If anybody sees weaknesses in this scheme, please let me know.

Linux notes

Just get the mentioned packages with your favorite package manager.

Win32 notes

Download and run the installer. After that, just run “manent” from cmd.

Win32 From Source notes (OBSOLETE)

  • Don’t try to build everything from source, as there is no Win32 installer and it would be a mess to install it manually. Grab the binary python distribution from either python.org or from the active python distro.
  • Download the pre-built pcrypto version for python 2.5 from here. Do not try to compile it from source as it requires a VS 2003 compiler which is no longer being distributed by Microsoft.

NOTE: pycrypto install on Vista works, but does not set the environment correctly. You’ll have to do that manually (in my case, I had to set “PYTHONPATH=c:\inst\python252\Lib\site-packages”.

NOTE 2: paramiko installation is strange: if you run “python setup.py install” from cmd, it will work only in cmd. If you run “python setup.py install” in cygwin, it will work only in cygwin.

  • Paramiko can be installed as usual (does not require compiling C code).

Cygwin notes

NOTE: Cygwin does not support unicode file names. Cygwin is not supported anymore, use at your own risk.

  • Install cygwin’s python (it’s 2.5.1 as of this writing), and cygwin’s python-crypto. Cygwin’s paramiko is broken, so don’t bother with it. Instead, get a fresh paramiko sources from the website and install them with “python setup.py install”.

Usage

It is a good idea to run the tests before using a new version. Contact the authors or file a ticket if any problem is found.

Configure the backup:

  1. create backup instance under the label name:python Manent.py create <name>
  2. choose the data path for backup labelled name:python Manent.py configure <name> set data_path=/home/<user>
  3. setup target storage for backup labelled name.
    If you are backing up into local directory:python Manent.py configure <name> add_storage type=directory \
    path=<path within server> encryption_key=<key>
    ftp server:python Manent.py configure <name> add_storage type=ftp \
    host=<server> user=<user> password=<password> \
    path=<path within server> encryption_key=<key>
    sftp server:python Manent.py configure <name> add_storage type=sftp \
    host=<server> user=<user> password=<password> \
    path=<path within server> encryption_key=<key>
    With sftp, you can omit the password, and Manent will try to connect to the host with your ssh keys.

Back up the current data

python Manent.py backup <name>

This creates a new backup increment. The increments are numbered continuously, from 0 forward.

Restore from backup

More explanation on storage and increment index later:

python Manent.py restore <name> storage=<index> increment=<index> target=<path>

Experimental: Access the backup interactively

python Manent.py ftp <name> port=<port>

Runs a local ftp server that provides access to all the backup increments. The server runs with username=”user”, and empty password.

Files can be browsed and downloaded. Note that no network connection is necessary when browsing, but is needed if you download data.

Test the backup instance labeled name

This actually downloads all the relevant data from the storage location and tries to reconstruct it to see that everything is accessible, but without creating the files themselves:

python Manent.py test <name> storage=<index> increment=<index>
  • To see more detailed reporting, increase the logging level by setting environment variable “MANENT_LOGGING_LEVEL=DEBUG”. For example, in bash:MANENT_LOGGING_LEVEL=DEBUG python Manent.py backup <name>