Decision Maker

Back Up Active Directory and GPOs

Active Directory is obviously a critical part of your infrastructure -- so what are you doing to protect it?

• By Don Jones
• 05/01/2010

Active Directory is obviously a critical part of your infrastructure -- so what are you doing to protect it? Furthermore, what are you doing to protect the important Group Policy Objects (GPOs) that help configure and secure both client and server computers in your organization?

Windows native backup capabilities for AD are pretty straightforward: Windows Server Backup can grab a server's system state, and when you do this on a domain controller (DC) you're also grabbing the AD database. You'll need to explicitly grab the GPO files that sit on the disk, however, because those aren't in the AD database. Using those backups can be troublesome because Windows Server Backup doesn't support online restores. Instead, you'll be taking a DC offline to perform an authoritative restore of the directory. Recovering a single object -- such as an accidentally deleted user -- can be time-consuming when done this way.

Windows Server 2008 R2 adds a new Active Directory Recycle Bin feature that provides some basic single-object recovery. It doesn't rely on backups; rather, it copies deleted objects to a special container in AD. You'll still need to use low-level tools to recover objects because there isn't actually a "recycle bin" icon in any of the native tools.

This feature must be explicitly enabled and is only available in domains running at the Windows Server 2008 R2 functional level. The feature doesn't provide coordination for multi-object recovery, such as recovering an entire organizational unit (OU) and all of the user accounts that were in it.

Group Policy backups are handled separately: You can manually use the Group Policy Management Console to back up GPO files, or in Windows Server 2008 R2 you can use the Group Policy Windows PowerShell module to run backups, either manually or as a scheduled task. The native tools don't really provide a means of comparing backups to current versions of a GPO, meaning that it's absolutely critical that you document GPO changes and backups.

Going Commercial
There has long been a market for commercial solutions in this space: Quest Software, NetPro Computing (which is now part of Quest), NetWrix, Symantec and dozens of others all offer tools to bring AD objects back from the dead.

These tools typically offer a graphical recycle bin, either as a stand-alone tool or as an add-in to the Active Directory Users and Computers console. They perform single-object recovery without taking a DC offline, and most will help coordinate dependencies -- like restoring associated groups, OUs or other items as needed to completely recover an object. Many can recover individual attributes, too, enabling you to undo specific granular changes without rolling back others.

The same manufacturers often offer a GPO recovery product, as well, and typically provide features to compare a backed-up GPO to a current version -- sometimes even across domains. This can enable single-setting recovery, making it easier to undo a specific change more easily.

Many of these tools rely on point-in-time backups, meaning that an object that's created and deleted in between backups may not be recoverable. In those cases, the Windows Server 2008 R2 recycle bin feature -- which doesn't rely on backups, but rather copies objects as they're deleted -- can be a complementary recovery technique.

The Decision
My feeling is that all but the very smallest organizations should supplement Windows native capabilities with a commercial AD/GPO backup solution. If you have more than one or two DCs, then the added flexibility of online, single-object recovery -- through a GUI, not through AD restore mode or a low-level tool -- can save an incredible amount of time when a recovery is necessary. Look for tools that support frequent backups or that can be incorporated into a change-management process. For example, if all new AD objects are created at a certain time in your organization, then scheduling a directory backup immediately after those changes are made can help ensure that nothing is ever subject to loss. GPOs can be backed up immediately after any changes are made, as well -- and GPOs are more commonly managed under change-control processes, making it easier to add a specific backup step to that process.

I have mixed feelings about the recycle bin feature in Windows Server 2008 R2. Microsoft doesn't intend it to replace more robust third-party offerings; it's mainly intended as a bare-minimum feature for smaller environments that simply can't afford any kind of third-party recovery tools. There's been a lot of community-based hype around the feature that builds it up to be something it isn't. So if you do opt to use the feature, just take the time to understand what it really does and doesn't do. Also, given its requirement for an all-Windows Server 2008 R2 domain, it will be some time before the feature is even an option for many companies.

Should Microsoft have included more robust AD/GPO recovery capabilities in the native toolset? I don't think so. The reason so many vendors play in this space is that each one approaches the problem somewhat differently, and each resulting solution works slightly better for different types of companies.

A more robust native solution from Micrsoft would kill off the third-party diversity and force us into a one-size-fits-all approach.