Backing up Active Directory without breaking a sweat or remote queries
Backup and recovery are two fundamental practices every organization utilizes to minimize downtime and protect critical data. Active Directory (AD) backup is a process used to restore an entire AD environment in the event of failures or incidents.
As a minimum requirement, this process involves domain admin privileges to execute remote queries and retrieve data from domain controllers across the environment.
However, one of our RecoveryManager Plus customers had other ideas: Perform an AD backup without the minimum requirements. With our implementation service, we delivered exactly what they needed.
GPO backup: An uphill battle
An AD environment generally includes AD objects such as users, groups, and Group Policy Objects (GPOs). GPOs dictate how users and endpoints operate within the environment.
Unlike other AD objects, the policies and configurations applied through GPOs are stored in a shared folder called SYSVOL. By default, this folder is only accessible to domain admins. Additionally, with RecoveryManager Plus installed on an application server, the challenge was taken up a notch.
Without admin privileges and without executing remote queries, GPO backup seemed complicated but possible. After hours of brainstorming, our implementation manager devised a smart and simple workaround.
The workaround that indeed worked!
Group Policy Management Console (GPMC)
is a native tool used to create and manage GPOs. Where there’s a GPMC, there’s GPO data. Luckily, this tool can be installed as an add-on feature in every Windows Server machine, including an application server. Installing this feature brought the GPO data to the application server, however, backing it up was still a mystery.
A service account was then created and added to the local administrators group, granting it the privileges to retrieve and copy the data available within the server. Additionally, our implementation manager deployed a custom patch, allowing the service account to execute queries locally (within the application server) to create the copies.
This met our customer's needs perfectly: Performing AD backup without using domain admin
privileges and remote queries.
Apart from purchasing a solution to address identified needs, organizations often discover new and challenging requirements that demand additional technical expertise during the implementation phase.
OnboardPro is a ManageEngine's exclusive implementation service for IAM and SIEM solutions. Every client environment is unique and requires additional support beyond basic installation and standard features. With OnboardPro, customers will engage with our product experts to manage the installation, customization and training based on their business needs. For more information, visit: manageengine.com/onboarding/manageengine-onboardpro-iam-and-siem-professional-service.html.