Skip to main content
Skip table of contents

How to configure AD backup

Introduction

This document describes the process to back up and restore Active Directory. The Active Directory iDataAgent along with the Windows File System iDataAgent provides complete data protection for a domain controller and other computers in a domain. It can also secure LDS/ADAM attributes.

Pre-requisites:

This section should contain the information in regards to the following:

System requirements: The following requirements are for the Active Directory Agent:

Operating System

Windows Server 2019

Microsoft Windows Server 2019 Editions

Windows 2016

Microsoft Windows Server 2016 Editions

It is recommended that your Active Directory server has DNS services configured.

Service Account requirements with permissions: The service account must have the following permissions for performing a backup and restore operation:

Be a member of the Domain Administrator Group.

Be able to access the Active Directory deleted object container or the tombstone.

At the minimum have Read, Change and Create Child Objects permissions in the Active Directory domain.

Note: You can still use an account that is not in the domain to perform backups. The account must have Read, Change and Create Child Objects permissions in the Active Directory domain. However, DNS Zones are not backed up using that account.

What is backed up and what is not/ any limitations

This section should cover the following information:

  • What cannot be backed up . List limitations if any: All Active Directory components gets backed up

  • What can be restored? List limitations if any: Attributes on each supported Windows object gets restored:

Computer

Contact

Group

InetOrgPerson

MSMQ Queue Alias

Organizational Unit

Printer

User

Shared Folder

Configuration

Schema

ForestDNSZones

DomainDNSZones

Limitation: Due to a Microsoft limitation the following attributes are backed up but cannot be restored in-place. If the Update Privilege value is set by the system, then the attributes cannot be restored in-place. For example, the Bad-Password-Time attribute is not restored in-place as the Update Privilege value is set by the system.

  • ObjectGUID

  • ObjectSid

  • PrimaryGroupID

  • BadPasswordTime

  • LastLogoff

  • LastLogon

  • MemberOf

  • PwdLastSet (only if adldaptool.exe was executed before the backup)

  • USNChanged

  • USNCreated

  • WhenChanged

  • WhenCreated

  • DistinguishedName

  • UserAccountControl

  • Delete Objects

  • rootDSE object

  • SID-History (only if adldaptool.exe was executed before the backup)

  • GivenName (Active Directory Agent uses the Distinguished Name (DN) to locate the object in live AD during a restore operation. GivenName is a part of user's DN. If a user name is changed or renamed, you cannot locate the AD object for restores. In that case, the restore operation.)

Procedure

You must run the adLdapTool.exe on the client computer before you perform your first backup to enable restores of passwords for users and computers.

The adLdapTool sets the following values to the searchFlags attributes of Unicode-Pwd and SID-History found under CN=Schema and Cn=Configuration:

Value for Unicode-Pwd: 0x00000008

Value for SID-History: 0x00000009

CODE 
            Due to this setting, Active Directory will preserve these two attributes on deletion.

  1. Log on to the server using the user account that has administrative privileges.

2. On the command line, go to software_installation_directory/Base, and then type the following command:

adLdapTool.exe <domain_name\domain_administrator_user_name> <password> -hostserver <fully_qualified_directory_host_server_name> -port 389 <LDAP_port_number> -setschema 1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close