To be able to explore and recover necessary items within the Active Directory database files, make sure that you have a transactionally consistent backup of your Active Directory Domain Services server (a domain controller) created successfully. (For details, see the "Transaction Consistency" and "Enable Application-Aware Image Processing and Indexing" sections of Veeam Backup & Replication User Guide.) When planning for Active Directory objects restore, please be aware of the considerations and limitation described below.
The following logic is implemented in the Active Directory objects recovery process (except for Group Policy objects described later in this topic):
- If a tombstone object exists in the target Active Directory, Veeam will use this object for recovery. This will allow you to restore security attribute values including objectSID and objectGUID for recovered objects, which is especially important for security principals (including User, Computer, inetOrgPerson and Group objects).
To be able to restore from the tombstone objects, make sure that AD Recycle Bin feature is disabled (default setting) in the target domain.
- If no tombstone object exists in the target Active Directory, Veeam will create a new object during the recovery process and set all attributes to the same values as in corresponding object in the backup. However, these attributes (including security) will be new, which may result in losing access rights.
In case you need to restore a business-critical object for which a tombstone is missing, you can perform authoritative restore of entire domain from the old DC backups, which contain deleted object, and then refresh them using Veeam Explorer for Microsoft Active Directory and newer backups.
To read more about tombstone objects, refer to Microsoft TechNet at http://technet.microsoft.com/en-us/library/dd379542%28v=ws.10%29.aspx.
Also, consider the following when planning AD objects restore:
- To properly restore deleted objects and their attributes including SID and GUID, it is recommended that you carry out the restore procedure using Veeam Explorer for Microsoft Active Directory, as explained in this guide, and make sure that recovery was a success.
- Always use the backups which are newer than the tombstone lifetime interval for Active Directory forest.
- Remember that when you move an object from one domain to another within a forest (for example, using the Movetree.exe utility or any 3rd party tool), no tombstone for this object will remain in the source Active Directory. Thus, such an object cannot be fully recovered to the original domain.
- Consider that when Group Policy objects are restored from the backup, both Active Directory data (storing Group Policy Containers) and %Sysvol% data (storing Group Policy Templates) is involved. Therefore, for successful restore data should be consistent in these two locations. Restore logic is implemented as follows: existing Group Policy objects are deleted from target, and new ones from the backup are written there.
- Link attributes without the corresponding back link to deleted objects are not restored, if both deleted objects and links are restored in a single restore operation. To work around, you will need to perform the restore once again.
To determine a tombstone lifetime interval, you can use ADSIEdit or Dsquery as described in http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx.
In case you want to restore Active Directory Domain Services server as a whole, the recommendations provided in the series of Veeam blog posts at https://www.veeam.com/blog/how-to-recover-a-domain-controller-best-practices-for-ad-protection.html can be helpful.