Active Directory Backup
Veeam supports application-aware processing of both virtual and physical Microsoft Active Directory Domain Controller servers to ensure consistent backups of Active Directory.
Best Practices
For Microsoft Active Directory, it is essential to verify the tombstone lifetime settings as detailed in the Veeam Explorers User Guide.
While it is not necessary to back up all Microsoft Active Directory domain controllers (DCs), Microsoft best practices recommend regularly backing up at least two writable DCs per domain. This approach ensures multiple backup options. Note that restoring Active Directory from a backup of a read-only domain controller (RODC) is not supported.
It is advisable to back up the DCs that hold the most Flexible Single Master of Operations (FSMO) roles. If these roles are not backed up, you will need to manually transfer them after a restore using the ntdsutil seize command. You can determine which domain controller holds which FSMO role by running the netdom query fsmo command.
Job configuration
To ensure proper backup and restore of Active Directory Domain Controllers, the following configurations are required:
- Enable Application-Aware Image Processing: This option must be enabled in the job properties.
- Provide Sufficient Credentials: Use an account with administrator privileges. Optionally, a group-managed service account can be used. The account does not need to be a member of the Domain Admins group but must be part of the Administrators group within the domain.
By following these best practices and configurations, you can ensure reliable and consistent backups of your Active Directory environment.
References
- Veeam Explorer for AD Considerations
- Permissions to backup AD
- gMSA - Group-managed Service Accounts
- Microsoft - FSMO Roles