Overview of Data Handled by Disaster Recovery for Identity for Active Directory
Disaster Recovery for Identity for Active Directory manages the following type of customer data:
- On-premises environment information including Active Directory domain names and domain controller names. Environment information is stored and protected in the SQL database.
- Active Directory backup (.bkf) files stored in Geo-redundant Azure Blob Storage. Backups are replicated to secondary region.
- The application uses administrative account names and passwords to perform recovery operations. The data is stored encrypted with a unique organization encryption key that is stored separately in Azure Key Vault.
- Application logs.
Admin Consent and Service Principals
Disaster Recovery for Identity for Active Directory does not require access to the customer’s Entra ID and Microsoft 365 tenants. The product works primarily with hybrid agents to communicate to the customer’s on-premises Active Directory. No service principal is created in the customer’s Entra tenant.
Location of Customer Data
When a customer signs up for On Demand, they select the region in which to run their On Demand organization. All computation is performed and all data is stored in the selected region. The currently supported regions can be found here: https://regions.quest-on-demand.com/. All replication datacenters reside within the geographic boundaries of the selected region.
Windows Azure Storage (including Blobs, Tables, and Queues) is replicated three times in the same datacenter for resiliency against hardware failure. The data is replicated across different fault domains to increase availability. All replication datacenters reside within the geographic boundaries of the selected region. See this Microsoft reference for more details: https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy.
Which types of data is stored in each service?
Azure Key Vault
- Per organization encryption key.
Azure Blob Storage
- On-premises domain controller backups uploaded from on-premises domain controller agent (or user defined proxy).
- Cloud-generated recovery engine logs (domain names, domain controller names, account names)
Azure SQL Database
- Environment configuration (username and encrypted password).
- On-premises Topology (forest name, domain names, domain controller names).
- Backup Plan configuration (on-premises domain controller names).
- Recovery Plan configuration (domain controllers, IP addresses, Site names, GC flags, FSMO roles, local/domain usernames and encrypted passwords).
- Tasks/events - can include details from errors.
- Backup metadata with domain, domain controller name, encrypted backup password and Blob name.
Azure Application Insights
- Logs from all microservices (except on-premises agents)
Azure Service Bus
- Operation logs (which can expose domain controller names).
- Operation results (include on-premises Topology - domain and domain controller names).
- ODJRS operation configuration.
SignalR
- Computer names for operations and tasks.
ODJRS Plugin/IOT hub (from API to on-premises plugin or agent)
- Topology Discovery (domain/forest name, username/password) sent to hybrid agent.
- Backup domain controller configuration (target domain controller name and IP addresses) sent to hybrid agent.
- Domain controller Restore configuration (target domain controller name and IP addresses) sent to hybrid agent.
- Domain controller agent installation configuration (target domain controller name, IP Addresses, local administrator account and password).
- Domain controller agent certificate for RPC communications.
Domain Controller Agent
- Temporary domain controller backup before upload to Blob storage.
- Domain controller agent communication key for RPC communications.
Datacenter locations
The following datacenters are used to store customer data:
For AU organizations
- Backups are stored in Geo-redundant Azure Blob Storage – encrypted at rest:
- Primary replica – Australia East
- Secondary replica – Australia Southeast
- Logs stored in Azure Data Explorer - Australia East
For CA organizations
- Backups are stored in Geo-redundant Azure Blob Storage – encrypted at rest:
- Primary replica – Canada Central (Toronto)
- Secondary replica – Canada East (Quebec City)
- Logs stored in Azure Data Explorer - Canada Central (Toronto)
For EU organizations
- Backups are stored in Geo-redundant Azure Blob Storage – encrypted at rest:
- Primary replica – North Europe (Ireland)
- Secondary replica – West Europe (Netherlands)
- Logs are stored in Azure Data Explorer - North Europe (Ireland) – encrypted at rest
For US organizations
- Backups are stored in Geo-redundant Azure Blob Storage – encrypted at rest:
- Primary replica - West US 2 (Washington)
- Secondary replica - West Central US (Wyoming)
- Logs are stored in Azure Data Explorer - West US 2 (Washington) – encrypted at rest
For UK organizations
- Backups are stored in Geo-redundant Azure Blob Storage – encrypted at rest:
- Primary replica – UK South
- Secondary replica – UK West
- Logs are stored in Azure Data Explorer - UK South – encrypted at rest
Privacy and Protection of Customer Data
The most sensitive customer data processed by Disaster Recovery for Identity for Active Directory is the on-premises Microsoft Active Directory data, including users, groups and contacts and their associated properties. Disaster Recovery for Identity for Active Directory does not store or deal with end-user passwords of Active Directory objects (except passwords of the domain administrators when configuring domains or domain controllers).
Each organization has its own blob storage container with an organization specific Encryption Scope.
Disaster Recovery for Identity for Active Directory encrypts backups with a password for added security. The passwords used for accessing backups are encrypted using organization specific keys stored in Microsoft Azure Key Vault and are protected using AES-256 algorithm. These passwords are unique, randomly generated and are each 16-characters long. The encrypted passwords are then stored as part of the backup metadata in the Azure SQL database. For details about encryption within Azure Key Vault, see the Privacy and Protection of Customer Data section in the Quest On Demand Global Settings Security Guide.
At rest, on-premises domain controller backups are stored in Azure Blob Storage and encrypted using AES-256 with the encryption key protected using PBKDF2 and SHA-2.
More information about Azure Queues, Tables, and Blobs can be found here:
