About Disaster Recovery for Identity for Active Directory
Disaster Recovery for Identity for Active Directory offers off-network abilities to manage on-premises domain controllers, including Active Directory® backups and restore operations, in the case of a disaster. It is essential for any modern business to have uninterrupted network and computer systems, which are essential for business continuity. Unforeseen outages, like directory service failures, can significantly disrupt operations. To mitigate such risks, critical infrastructure must be designed for swift recovery from failures.
The product leverages advanced technologies to minimize downtime resulting from Active Directory corruption or accidental modifications. This solution automates backups and enables rapid, remote recovery of data stores in Active Directory, and dramatically reduces the time required to restore Active Directory.
Disaster Recovery for Identity for Active Directory allows you to perform the following operations:
- Configure and manage backups using Backup Plans.
- Store Active Directory backups in Quest Azure tenant.
- Configure and manage recovery of an Active Directory Forest.
- Restore Active Directory using Restore to Clean OS method, allowing you to restore the entire forest or any of its parts on a freshly installed Windows machine.
- Set recovery method for individual domain controllers to Install Active Directory
- Schedule backup of domain controllers based on business needs.
- Verify recovery configurations to validate your disaster Recovery Plan.
The solution simplifies and automates the process of preparing for and responding to disasters, such as the corruption of directory object data. These disasters can stem from hardware or software failures, or accidental human errors. Some examples of forest-wide failures include:
- None of the domain controllers can replicate with its replication partner.
- Changes cannot be made to Active Directory at any domain controller.
- New domain controllers cannot be installed in any domain.
- All domain controllers have been logically corrupted or physically damaged to a point that business continuity is impossible (for instance, all business applications that depend on Active Directory are non-functional).
- A rogue administrator has compromised the Active Directory environment.
- An adversary intentionally or an administrator accidentally runs a script that spreads data corruption across the Active Directory Forest.
- An adversary intentionally or an administrator accidentally extends the Active Directory schema with malicious or conflicting changes.
Disaster Recovery for Identity for Active Directory can be started from Quest On Demand single SaaS command point. For more information about Quest On Demand, see the Quest On Demand product documentation.
To access On Demand, you need to provide On Demand credentials or use your existing Quest Software account. For more details, see Signing up for Quest On Demand in the On Demand Global Settings User Guide.
The following sections describe how to configure and work with Disaster Recovery for Identity for Active Directory:
Disaster Recovery for Identity for Active Directory Module Overview
The user interface of the administrative console consists of six main screens. The main screen, called Environments, is opened upon clicking Recover in the left hand navigation panel, and then Active Directory:
The Environments screen is your starting screen. On this screen, you can view all environments available and a summary of each environment, and create new environments for your Active Directory forests.
The Topology screen shows a list of domains and domain controllers linked to the Active Directory forest.You can also run forest discovery, manage Domain Controller Agents, and create Backup Plans from this screen.
The Backup screen allows the user to create and run Backup Plans, and shows a list of Backup Plans created by the user. The Backups screen also displays a list of backups created from the Backup Plan(s).
The Recovery allows to create new Recovery Plans and view a summary of the Recovery Plans created by the user. The user can select a Recovery Plan to review details of the plan, update configurations, and perform Recovery Plan verification or environment recovery. When verification or recovery operations are running, the progress of the operation can be viewed by opening the Recovery Plan details from this screen.
The Events screen provides you with detailed information about errors and warnings that occur during discovery, backup, recovery and verification operations.
The Tasks screen allows you to view task statuses and manage them.
Before You Start
This section provides an overview of some of key information that should be considered when using Disaster Recovery for Identity for Active Directory. Understanding this information is essential for effectively using the product and troubleshooting any issues that may arise.
Backup Considerations and Best Practices
In this topic:
How many domain controllers to backup?
This depends on the recovery strategy you choose for your environment. Refer to the Forest recovery strategies section in the Recovery Considerations and Best Practices page.
It is recommended to back up at least two domain controllers from each domain in the forest that are DNS servers and FSMO role holders.
Backup frequency
When deciding on how often to create backups, it is important to note that in case of a disaster, you will need recent and reliable backups. These backups should be created around the same time (within 24 hours) to minimize potential discrepancies after the forest recovery process. The product allows you to restore a domain in the forest to its prior state at the time of the last trusted backup. Consequently, the restore operation will result in the loss of at least the following Active Directory data:
- All objects (such as users and computers) that were added after the last trusted backup.
- All updates made to existing objects since the last trusted backup.
- All changes made to either the configuration partition or the schema partition in Active Directory since the last trusted backup (such as schema changes).
Quest recommends daily backups for each domain controller you want to be able to restore.
Active Directory backups vs Windows System State backups
The Active Directory and Windows System State backups are very similar. The key components that the product backs up as part of the Active Directory system state are the Registry, the NTDS.dit file, and SYSVOL.
What differences do they have?
- Windows System State backup is a full backup of the Windows operating system; Active Directory backup contains only pieces of Active Directory that allow you to restore the domain controller on a clean operating system.
- Windows System State backups contain more components - not all of these components are necessary for Active Directory recovery, e.g. IIS Metabase, Cluster Services, etc.
- Windows System State backup may contain viruses in the components of the operating system.
- Windows System State backups are larger than Active Directory backups.
For the list of Windows System State backup components, see Microsoft documentation.
Disaster Recovery for Identity for Active Directory enables the backup and restoration of the following Active Directory components on domain controllers:
- DIT Database
- SYSVOL
- Registry, including all registry hives and the file NTUSER.DAT
Backup storage and encryption
Disaster Recovery for Identity for Active Directory encrypts backups with a password for added security. The passwords used for accessing backups are encrypted using organization specific keys stored in Microsoft Azure Key Vault and are protected using AES-256 algorithm. These passwords are unique, randomly generated and are each 16-characters long. The encrypted passwords are then stored as part of the backup metadata in the Azure SQL database. For details about encryption within Azure Key Vault, see the Privacy and Protection of Customer Data section in the Quest On Demand Global Settings Security Guide.
At rest, on-premises domain controller backups are stored in Azure Blob Storage and encrypted using AES-256 with the encryption key protected using PBKDF2 and SHA-2.
