T 2.127 Inadequate planning of data backup methods for domain controllers

If the wrong data backup methods are used to back up domain controllers in an Active Directory, the result could be impaired operations within the affected domain. The following problems can arise for this reason when the special role and the technical conditions of domain controllers are not taken into account when backing up the data:

The use of incompatible software to back up the data of the domain controllers can trigger unnecessary replications on the affected systems and therefore disrupt the operation of the Active Directory (see T 4.68 Disruptions in an Active Directory due to unnecessary file replication).

Furthermore, it cannot be ensured that the authorisations of the "backup operators" were set restrictively enough for the member servers in the domain if the data backup methods are not planned. If inadequate or unlimited rights are granted, then the "backup operators" could obtain administrative authorisations for the domain under certain circumstances and therefore may be able to circumvent the role concept.

In organisations with several locations in particular, not planning the data backup could cause some branch offices to be forgotten or solutions for remote backup to be selected that do not offer the data to be backed up adequate protection, which could then enable someone to read security-related Active Directory data during transmission.

If the data backup interval selected is too long, then it is possible under certain circumstances for Active Directory objects to be installed that have been marked for deletion and whose service life has already expired while recovering a domain controller. This can lead to replication problems between domain controllers and therefore to inconsistencies in the data.