S 6.108 Data backup for domain controllers
Initiation responsibility: Head of IT, IS Management Team
Implementation responsibility: Administrator
Since domain controllers usually allow central authentication and authorisation tasks to be performed to access important resources in the network, the failure of a domain controller can immediately lead to serious disruptions in the network. For this reason, a suitable data backup procedure must be specified for the domain controllers since they are central IT components. The procedure should be documented in the data backup concept of the organisation or in a separate data backup policy. The basic approach is described in module S 1.4 Data backup policy. Furthermore, additional special features specific to domain controllers must be taken into account during the development of the data backup policy for the Active Directory. This policy should take the following aspects into account:
- Data backups must be performed regularly and in a traceable manner on domain controllers.
- Organisation-wide general user accounts should not be used for data backups.
- Data backup systems should only be installed at locations where the security of the hardware and media is guaranteed.
- The ability to restore the domain controllers using the backup media must be tested regularly.
- Data backup media to be disposed of must be destroyed.
- In addition to the aspects to be considered for conventional server backups, it is also necessary to consider the following points for domain controllers.
The restoration of a failed domain controller is rarely performed using only data backup media. One proven method for restoring a domain controller is to promote a member server to the domain controller role and then replicate the Active Directory data of another domain controller. However, this method can only be used when using several domain controllers and at least one valid replica of the Active Directory is still available after the failure of one or more systems.
If there is only one domain controller or there is no Active Directory replica available any more after the failure of the domain controllers, then the domain controllers must be restored from the data backup media. It must be taken into account in this case that problems can arise under some circumstances such as faulty backup media, incomplete restoration procedures, or a lack of familiarity with the procedure on the part of the person responsible. To counteract these problems, it must be ensured that the administrators are familiar with the restoration procedure for the overall structure.
Selection of compatible backup software
If the metadata of the files to be backed up are not handled correctly by the data backup program, then this can lead to increased file replication by the file replication service (FRS) just as is the case when using an unsuitable virus protection program (see T 4.68 Disruptions in an Active Directory due to unnecessary file replication).
As is the case when using virus protection programs (see S 2.414 Computer virus protection for domain controllers), it is absolutely necessary when selecting the data backup software to ensure that the software to be used to back up the data of the domain controllers has been approved for use by the manufacturer.
Special security requirements
The service account used to secure the domain controller must have service administrator rights, which means it has extensive rights. To prevent the misuse of these rights, the group of users with access to this account should be kept as small as possible.
For this reason, it is recommended to use a different service account for the backup agents on the domain controllers than is used on the other servers in the organisation. The use of different user accounts on domain controllers and other servers also provides the domain controllers with additional protection in cases where a conventional server in the organisation becomes compromised.
Furthermore, membership in the Backup Operators group should be restricted to those users who are needed to back up the data of the system files. Users who are responsible for backing up application data should not be members of the Backup Operators group on the domain controller. Instead, these users should be entered as members of the local group of Backup Operators on the corresponding application server.
The Backup Operators domain group has no special protection by default. To obtain the corresponding protection, access to the corresponding AdminSDHolder object (container object used to store authorisations) should be controlled as strictly as possible (see Adapting Access Protection for the Backup Operators domain group in the Resources for the Active Directory).
Backups of the data of the domain controllers must be performed at regular intervals. When specifying a suitable backup interval, it must be taken into account that the Active Directory objects marked for deletion are not deleted directly from the Active Directory, but are placed in a special container of the Active Directory ("Deleted objects") first. The objects marked for deletion are referred to as outdated or tombstone objects.
The outdated objects are permanently deleted after a certain user-defined time (default: 60 days). The advantage of this method is that it is possible during this time period to reactivate objects which have supposedly been deleted.
The account is disabled during deletion so that it cannot be used any more. If it is determined, though, that the account was deleted too soon, it is still possible to restore it more quickly.
To avoid problems during replication, it should be ensured that the data backups do not contain any outdated objects (or at least as few outdated objects as possible) whose service life has expired. To ensure this is the case, the backup media should be overwritten when performing regular backups after about 75% of the service life of the outdated objects has expired. This means the data should be backed up as often as possible, but that the backup media will be overwritten after 45 days (for an object service life of 60 days) by new backups to guarantee that the outdated objects cannot be restored any more.
Since the data backup media for the domain controllers contain all the information in the Active Directory database, the same physical security precautions should be taken for these media as for the domain controllers (see S 4.313 Provision of secure domain controllers, Physical security section for more information). It is especially necessary for backups in branch offices to examine if adequate security can be guaranteed for the backup hardware and backup media. The following options are available for this purpose:
- The data of the domain controllers in the branch offices are not backed up.
- The data in the branch offices is backed up with the help of remote backup systems (offline media) located in secure computer centres.
- The data in the branch offices is backed up with the help of local backups to data media (online media).
These options must be examined in terms of the time and effort required for administration, the delay caused by restoration, and the level of security that can be guaranteed. The condition and the usefulness of the data backup media must be checked at regular intervals by performing actual data restorations.
The backup media used on-site must be stored at a secure and monitored location to prevent changes to the data or theft of the media. The media themselves should only be used during data backups and restorations and should only be placed in the corresponding drives. Procedures should also be specified that require the signatures of authorised administrators to obtain data media from the archives.
Selection of the domain controllers to be backed up
If the domain controllers are spread between several sites (e.g. in branch offices), then data backup solutions should be selected that allow the backup procedure and the media used for this purpose to be adequately protected. It must be ensured that the data backup policy is adequately implemented at all sites and for all domain controllers. If there is a site that does not have a secure storage location available for the backup media, then the backup media should be moved to a suitable location.
It is possible to use remote solutions for branch offices. In this case, the data to be backed up is collected over the network by a central location. The following points should be taken into account when considering the use of a remote data backup solution:
- The integrity and confidentiality of the data must be protected during transmission over the network by suitable safeguards, for example by encrypting the data to be backed up before or during transmission.
- Adequate bandwidth must be available so operations and the data backup itself are not disrupted while executing a remote backup.
- If the data backups are performed locally first at the sites and then collected by a central location from the backup media, then access must be protected accordingly, for example by restricting access to the file shares containing the temporarily stored local data backups to the domain administrators only.
Incremental backups
Incremental data backup procedures are often used for system files to save storage space when backing up the corresponding data. In this procedure, only the files that have changed since the last data backup are actually backed up. However, more time will be required to restore the data when this procedure is used. Incremental data backups should not be executed on domain controllers, and manufacturers also recommend not using incremental backups.
Restoration methods
If incremental data backups are generated in spite of this, then only the data created since the last full backup will be backed up in this case. Older data is not taken into account. In some cases, though, it may be necessary to restore older data states and replicate them accordingly, for example in the course of a rollback operation. The data affected in this case can be prioritised for replication with the help of the ntdsutil command line tool. The prioritisation specifies which data will be restored from the backup and which data should be kept as is. For this reason, the data should be prioritised carefully because otherwise it will be possible to create inconsistencies in the overall structure such as locked or invalid user accounts suddenly becoming available again.
The backup and restoration of the data of domain controllers by creating an image is not recommended due to the inconsistencies arising in the USN (Update Sequence Number) rollback.
Adequate availability of backups
In order to ensure the data backups will also be available in an emergency, each backup must be checked upon completion to ensure it was executed correctly and without errors.
The data backups should be examined regularly in all domains to ensure the following three aspects are guaranteed:
- It must be ensured that an adequate number of domain controllers were backed up successfully in the week in question.
- It must be ensured that the backup media used are clearly labelled with the unique identifier of the domain controller, that the date is written on the data backup, and that the backup media are stored securely. The label on the backup media should also include the function of the domain controller so that it is easier to identify the corresponding domain controller later.
- If a data backup is unsuccessful, then the error should be eliminated as quickly as possible.
It must also be tested at regular intervals whether or not the data can be restored from the data backups. Backup media that have passed the test should be marked accordingly. These tests must be performed in a special test environment that is separated from the production environment.
Review questions:
- Is there a data backup and recovery policy for domain controllers?
- Is the backup software used explicitly approved for use in backing up the data of domain controllers?
- Was a separate data backup account with service administrator rights set up for the domain controllers?
- Was the number of members of the Backup Operators group restricted to the required minimum?
- Is the access to the AdminSDHolder object particularly protected for protection of authorisations?
- Are data backups of the domain controllers performed regularly and on the basis of a procedure that avoids outdated objects as far as possible?
- Are the backup media stored at a suitable and secure location?
- Are correct sequence and restoring of data backups of the domain controllers checked regularly?