Use Azure Backup for Active Directory forest recovery requirements | Part 1

Background

An Active Directory Disaster Recovery (DR) plan should cover everything that is needed to perform a full Active Directory forest recovery. One of the initial recovery steps is the restore of the first writable Domain Controller in each domain of the Active Directory Forest, starting with the forest root domain.

Performing a full server recovery is easily achieved with Windows Server Backup, as an example. A full server backup would be required. Restoring the server requires booting the server with the Windows Server installation media, selecting Repair your computer and then using System Image Recovery with the latest server backup. These steps can be completed for virtual or physical machines on your on-premise infrastructure. A different process would need to be performed for servers deployed in Azure, since you cannot boot these servers with installation media.

Azure backup can be used for servers in Azure and on-premise infrastructure. It is a simple backup solution that doesn’t require on-premise backup infrastructure and provides secure, long term and short term storage of the data. Find more information on the benefits in the following article: What is Azure Backup? – Azure Backup | Microsoft Docs

Deploying a Domain Controller in Azure and protecting the Domain Controller with Azure Backup can simplify the process of performing regular Active Directory DR exercises. The Domain Controllers can be restored in an isolated Virtual Network (VNET) and all the resources created for the DR exercise can be easily deleted when the DR exercise is complete.

Performing DR on a regular basis validates the success and integrity of the backups, and can assist with updating and fine tuning of the DR documentation. The Operations Team also becomes more comfortable with every DR exercise, which means faster recovery when real disaster strikes.

You need a backup of one Domain Controller for each domain in the forest as a minimum requirement. Backing up at least two Domain Controllers per domain improves redundancy as you will have multiple backups to choose from when recovering. It is not recommended to restore an operations master role holder (FSMO role holder) unless you have a specific requirement for this.

Determining which backups to use

Determining which domain controllers to restore


Introduction

In this series I will demonstrate how to configure Azure Backup to protect a Domain Controller deployed in Azure. An initial backup will be performed which will then be used to restore the Azure Virtual Machine (VM) to an isolated Virtual Network. The VM restore will be tested by signing into the Domain Controller with the built-in Administrator account. This validates the successful backup and restore of the Domain Controller VM.

This is in no way a full Active Directory forest recovery guide as there are several additional steps required to complete the Active Directory DR scenario. Refer to the references section for further guidance on this.

Part 1 covers the configuration of Azure Backup and creation of backups for two Domain Controllers in Azure. I will configure backup for a Domain Controller in the forest root domain and a Domain Controller in the child domain.


Azure backup requirements

Enabling backup for a Virtual Machine (VM) in Azure requires the following:

  • Recovery Services vault
  • Resource group
  • Backup policy

These items can be created separately or they can be created when enabling backup from the VM Operation menu. I’ll provide a short description of each.


Recovery Services vault

A Recovery Services vault effectively stores all the backup date. You can store all your backups in a single vault or use several vaults to isolate backup data based on your needs. I prefer to create a separate vault for Active Directory backups to restrict access to the backup data.

Overview of Recovery Services vaults – Azure Backup | Microsoft Docs


Resource group

A resource group is a container that hold related resources in Azure. It can also be used to group resources with the same lifecycle. You can also control access to a resource group. I will use a new resource group for the Recovery Services vault.

Manage resource groups – Azure portal – Azure Resource Manager | Microsoft Docs


Backup policy

You create a backup policy to configure the backup schedule and retention period. The backup schedule is the time at which the backup should run and the retention period specifies how long each of the backups will be stored.

For backup and recovery of Active Directory, I will configure a daily backup starting at 2AM and a retention period of 60 days. Although the tombstone lifetime of my Active Directory forest is set to the default 180 days, I don’t want to recover Active Directory from a backup that is older than 60 days. Configure the backup start time according to your environment to ensure the backup completes before business hours.

The default value for the instant restore is 2 days. I’ve changed this to 1 day which is the minimum value allowed, as I won’t be using snapshots for my Domain Controllers.

Guidance and best practices – Azure Backup | Microsoft Docs


Enable backup on the first Domain Controller

The first Domain Controller is from the forest root domain.

Select the Backup option under the Operations section from the Virtual Machine menu in Azure. Select Create new under Recovery Services vault and enter a name for the vault.


This image has an empty alt attribute; its file name is image-9-1024x579.png

Under the Resource group section, select Create new and enter a name for the new resource group.


This image has an empty alt attribute; its file name is image-10-1024x579.png

Under Choose backup policy select Create a new policy.

  • Provide a name for the new backup policy.
  • Set the backup schedule frequency to daily.
  • Select the required start time and time zone.
  • Set instant restore to 1 day.
  • Set the retention range to 60 days.

This image has an empty alt attribute; its file name is image-11-1024x580.png

All the requirements have been provided. Select Enable Backup to complete the process.


This image has an empty alt attribute; its file name is image-12-1024x579.png

The deployment will take a few minutes to complete.



With the deployment complete, I can now go back to the backup menu on my Virtual Machine to verify that backup is configured. A manual backup can be completed using Backup now. If backup for the specific server is no longer required, select Stop backup and complete the required steps.



Let’s complete an initial backup of the server. A custom retention period can be specified when selecting Backup now. I’ll leave this on the provided value and select OK to start the backup.



The notification on the Azure Portal confirms that the backup job has started and that the progress can be viewed from the backup jobs page. Select View all jobs as shown in the image below:



The backup jobs blade will show the status of all previous backups and any backups that are currently in progress. The manual backup job is still in progress and will take some time to complete.



Performing the initial backup is also a good option to determine how long it takes for the backup to complete. This can be used to confirm that the backup start time specified in the backup policy allows for sufficient time for the backup job to complete. The manual backup on this server completed in just over an hour.



Enable backup on the second Domain Controller

The second Domain Controller is from the child domain in the Active Directory forest.

Enabling backup for the second server will be much faster since all the requirements are created already.

From the VM menu in Azure, select Backup from the Operations section. Under Recovery Services vault, select existing. Select the vault and backup policy created with the first Domain Controller and then select Enable Backup to complete.



The deployment will take a few minutes to complete. Once deployment is complete, go back to the Backup menu on the VM Operations section to start a manual backup, following the same process as with the first Domain Controller.


Summary

We configured Azure backup for two Domain Controllers, one from each domain in the forest, and completed a manual backup. The backup should now be validated by performing a VM restore in an isolated environment. This will ensure that the recovery process does not interfere wit the production environment, especially when restoring a Domain Controller.

Look out for part two where I will complete the VM restore in an isolated VNET.


Series

Use Azure Backup for Active Directory forest recovery requirements | Part 1

Use Azure Backup for Active Directory forest recovery requirements | Part 2


References

Active Directory Forest Recovery Guide | Microsoft Docs

AD Forest Recovery – Perform initial recovery | Microsoft Docs

AD Forest Recovery – Determining which backups to use | Microsoft Docs

AD Forest Recovery – Determining which domain controllers to restore | Microsoft Docs

AD Forest Recovery – Backing up a full server | Microsoft Docs

Overview of Recovery Services vaults – Azure Backup | Microsoft Docs

Manage resource groups – Azure portal – Azure Resource Manager | Microsoft Docs

Guidance and best practices – Azure Backup – Backup Policy considerations | Microsoft Docs


Active Directory Recovery Execution Service (ADRES)

Do you require guidance or support with your Active Directory Disaster Recovery plan? Contact your Microsoft Account Representative for further details on our Active Directory Recovery Execution Service.


Overview

Review common disaster recovery scenarios, determine the risks posed to your business, and execute the steps needed to recover from disaster. A Microsoft Engineer will work with you to create and test Active Directory recovery plans for forest recovery. This will significantly reduce the time it takes to recover from disaster scenarios impacting your Active Directory environment.


Author