Comprehensive data protection for all workloads
Gostev
SVP, Product Management
Posts: 25094
Liked: 3673 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

[BETA] Veeam Explorer for Active Directory

Post by Gostev » Mar 16, 2014 9:40 pm

Please welcome the new addition to our Explorer family, Veeam Explorer for Active Directory (VEAD). Just like other Veeam Explorers, VEAD performs exports and in-place recoveries of AD objects by drilling directly into the AD database (ntds.dit file), without the use of Virtual Lab.

VEAD supports search and restore of all AD objects types, including users, groups, computer accounts and contacts. It can restore individual object's attributes, the entire objects, and even the whole organizational units (along with the hierarchy). Of course, the deleted objects do not have to be present in the Recycle Bin, as we will obtain all the data from backup where the objects are still present in AD. More importantly, unlike many other Active Directory recovery solutions, we do not require that the tombstone of the deleted object is still present in AD. VEAD is also fully Microsoft Exchange aware, so when restoring the user account, we will restore all Exchange-related attributes and reconnect the mailbox. As you will see, this is a very comprehensive solution.

But, there is one more thing. VEAD also has the unique ability to recover passwords! Imagine accidentally deleting the entire OU with all your users. Without this feature, each user will be prompted to set the new password upon first logon, which is very disruptive and insecure. But this feature will come even more handy if you lose an OU with computer accounts! If you simply restore those back, computers will not be able to logon to the domain because of computer account password mismatch. Now, just imagine the nightmare of going to each computer, switching it into workgroup, and then joining it back into the domain... hundreds of times! This is when you will really appreciate this feature.

Interested? Download beta now (requires B&R 7.0), and post your feedback in this thread!

[UPDATE] Cumulative patch that addresses all issues reported on the beta code as of May 5th > ftp://vead:gBs4953r@supportftp.veeam.com/

lp@albersdruck.de
Enthusiast
Posts: 82
Liked: 33 times
Joined: Mar 25, 2013 7:37 pm
Full Name: Lars Pisanec
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by lp@albersdruck.de » Mar 16, 2014 10:00 pm

Installed the beta.

I can only start the standalone application, I did not find a way to use it from B&R Console when selecting a backup of an AD controller.
Do I have to extract ntds.dit and logs manually to explore them, or is there another way?

Gostev
SVP, Product Management
Posts: 25094
Liked: 3673 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Gostev » Mar 17, 2014 12:19 am

You are quick!

There is no need to extract AD database file. Instead, just initiate file level recovery for a domain controller backup, and the guest file system will be mounted locally on the backup server to C:\veeamflr folder. After that, browse into that folder with VEAD and open ntds.dit .

Of course, once this becomes generally available as a part of v8, you will not perform these manual steps. It will "just work" as with other existing Explorers.

scott.anderson
Service Provider
Posts: 64
Liked: 8 times
Joined: Sep 14, 2011 6:48 am
Full Name: Scott Anderson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by scott.anderson » Mar 17, 2014 12:40 am

Looks like the Windows version is going to be important.

I've tried the AD Explorer and its working nicely where

Our Veeam server is a 2008R2.

AD is 2008R2, and the DC that I'm running the recovery for is also 2008R2.

However we also have a 2012R2 DC as well. Recovery from this DC fails.

"The specified database cannot be opened on this OS version"

Does this mean that you need to match your Veeam server to the OS of your DC's?
What happens in a mixed OS DC setup?

lp@albersdruck.de
Enthusiast
Posts: 82
Liked: 33 times
Joined: Mar 25, 2013 7:37 pm
Full Name: Lars Pisanec
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by lp@albersdruck.de » Mar 17, 2014 6:45 am

Gostev wrote:You are quick!

There is no need to extract AD database file. Instead, just initiate file level recovery for a domain controller backup, and the guest file system will be mounted locally on the backup server to C:\veeamflr folder. After that, browse into that folder with VEAD and open ntds.dit .

Of course, once this becomes generally available as a part of v8, you will not perform these manual steps. It will "just work" as with other existing Explorers.
Just FYI: if you searched where to find this, take a look at registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on your AD controller- the path to ntds.dit is there.

It seems to work so far. One small thingie: double clicking the top left icon of the window to close it does not work, it just maximizes/restores the window.

gkennedy
Influencer
Posts: 10
Liked: 10 times
Joined: Aug 01, 2013 3:48 am
Full Name: Gavin Kennedy
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by gkennedy » Mar 17, 2014 7:20 am 3 people like this post

I have just used this to restore a user to AD right now, which is insanely good timing. :)

Worked perfectly - what an awesome tool.

Cheers,
Gavin

Andreas Neufert
Veeam Software
Posts: 3971
Liked: 721 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Andreas Neufert » Mar 17, 2014 8:04 am

Is Win2003 SP2 in Win 2003 AD mode supported?
Is Win2012 R2 in Win2012R2 AD mode supported?

Templaar
Lurker
Posts: 1
Liked: 2 times
Joined: Mar 17, 2014 7:46 am
Full Name: Tomasz Czyz
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Templaar » Mar 17, 2014 8:32 am 2 people like this post

Works perfect on Windows 2012 AD.

Great job guys.

Vitaliy S.
Product Manager
Posts: 23201
Liked: 1605 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Vitaliy S. » Mar 17, 2014 9:01 am

scott.anderson wrote:Does this mean that you need to match your Veeam server to the OS of your DC's?
What happens in a mixed OS DC setup?
Not exactly, currently if you need to open a Windows 2012 R2 DC, then Explorer should be launched either on Windows 8.x or Windows 2012 R2 machine.
Andreas Neufert wrote:Is Win2003 SP2 in Win 2003 AD mode supported?
Is Win2012 R2 in Win2012R2 AD mode supported?
Both of these configurations should work fine.

Battlestorm
Veeam ProPartner
Posts: 20
Liked: 2 times
Joined: Feb 21, 2014 10:49 am
Full Name: Daniel Ely
Location: London, UK
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Battlestorm » Mar 17, 2014 9:02 am

Just opened a backup an ntds.dit from a Win2012R2 DFL/FFL domain on another box running 2012R2 so it opens 2012 R2

Kostya
Veeam Software
Posts: 104
Liked: 28 times
Joined: Jun 18, 2012 9:38 am
Full Name: Kostya Yasyuk
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Kostya » Mar 17, 2014 9:04 am 1 person likes this post

scott.anderson wrote:Looks like the Windows version is going to be important.
...
However we also have a 2012R2 DC as well. Recovery from this DC fails.
"The specified database cannot be opened on this OS version"

Does this mean that you need to match your Veeam server to the OS of your DC's?
What happens in a mixed OS DC setup?
If you want to open Windows 2012 or Windows 2012 R2 AD database, you have to have Explorer for Active Directory installed on Windows 2012/8 or later.

TommyB
Expert
Posts: 122
Liked: 16 times
Joined: Aug 28, 2013 9:46 am
Full Name: Thomas Braun
Location: Germany.Europe.Terra.Sol.Milkyway.Localgroup.Virgo
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by TommyB » Mar 17, 2014 9:12 am

Very nice feature - already downloaded and try this sometimes this week...

Is there already any list of other features and enhancements for Veeam 8?

I'm especially interested in improvements regarding media handling for tape backup (e.g. more granular email notifications, eject on full tape)

veremin
Product Manager
Posts: 17055
Liked: 1473 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by veremin » Mar 17, 2014 9:16 am

No, there is no such a list at the moment.

As to your feature requests, you can post them in the corresponding tape subforum or in the existing topics regarding similar questions.

Thanks.

tdewin
Veeam Software
Posts: 1459
Liked: 465 times
Joined: Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by tdewin » Mar 17, 2014 10:24 am

lp@albersdruck.de wrote: Just FYI: if you searched where to find this, take a look at registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on your AD controller- the path to ntds.dit is there.
Thanks for that , here is a powershell script to connect to your core instance :)

Code: Select all

$server = "ad02"
Invoke-Command -computer $server { Get-ItemProperty -path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\" }

DaveBristolIT
Influencer
Posts: 14
Liked: 1 time
Joined: Mar 17, 2014 11:06 am
Full Name: Dave Hamer
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by DaveBristolIT » Mar 17, 2014 11:09 am

Hi Gostev,
This is possibly about to save our bacon. One of our technicians has deleted the entire tree: Configuration/Services/Microsoft Exchange instead of one of the sub trees. (http://www.msexchange.org/img/upl/image ... 813890.jpg)
I've installed VEAD, started a FLR and have mounted the database file successfully - but we can't see the "Configuration" section as it is hidden by default and there is no way of typing in what you'd like to open!
do you have a fix for this that we can apply in the next couple of hours, or should I return to the old UAIR wizard?

Many thanks;
Dave

PR1
Novice
Posts: 4
Liked: never
Joined: Mar 20, 2013 11:36 am
Full Name: Paul Robinson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by PR1 » Mar 17, 2014 11:15 am

Domain controller is windows 2008 R2, Veeam B&R is on windows 2012, can open the ntds.dit file, but its displaying containers from our "parent" domain, cannot see our domain or our OU's ???

foggy
Veeam Software
Posts: 18448
Liked: 1589 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by foggy » Mar 17, 2014 11:30 am

Paul, are you sure you're opening database on the child domain controller? I believe that domain controller on the parent domain does not contain information on its child domains.

foggy
Veeam Software
Posts: 18448
Liked: 1589 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by foggy » Mar 17, 2014 11:43 am

DaveBristolIT wrote:I've installed VEAD, started a FLR and have mounted the database file successfully - but we can't see the "Configuration" section as it is hidden by default and there is no way of typing in what you'd like to open!
Dave, unfortunately, restoration of objects from Configuration partition is not currently available.

DaveBristolIT
Influencer
Posts: 14
Liked: 1 time
Joined: Mar 17, 2014 11:06 am
Full Name: Dave Hamer
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by DaveBristolIT » Mar 17, 2014 11:51 am

Ah that's a shame :)
+1 for this feature please!

I don't suppose someone can tell me if I can do this using the AD Restoration UAIR tool, or am I wasting my time with that as well? I'm not fancying an authoritative restore at this time of the morning!

Thanks muchly!
Dave

foggy
Veeam Software
Posts: 18448
Liked: 1589 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by foggy » Mar 17, 2014 11:56 am

As far as I remember, AD AIR also works with Domain partition only.

AMS
Expert
Posts: 145
Liked: 32 times
Joined: Mar 06, 2012 6:32 pm
Full Name: Ari Saperstein
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by AMS » Mar 17, 2014 12:46 pm

Just tested the VEAD with B&R on Windows 2012R2. AD on Windows 2012. VEAD lists all objects and properties of objects. When I go to perform a "restore to DOMAINNAME", I am getting "the supplied credential is invalid" error. The B&R server is not in the AD domain and therefore, the "Restore To" option needs to be selected where I can enter credentials for the proper domain. The restore worked perfectly in this scenario.

Andreas Neufert
Veeam Software
Posts: 3971
Liked: 721 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Andreas Neufert » Mar 17, 2014 1:08 pm

When mapping a domain file, the button says "Recover". Maybe it´s better to rename it to "mapp" or "select" because someone can be confused and think that the whole DB will be recovered when they click it.

Andreas Neufert
Veeam Software
Posts: 3971
Liked: 721 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Andreas Neufert » Mar 17, 2014 1:13 pm

Warning: Security information is not available for domain 'S-1-5-21-3715182976-4200736805-4064554889', password will not be restored.

My B&R Server is not member of the Domain (Standalone Server). Is this the problem? Is there a workaround for it, because in many cases the B&R Server are member of a infrastructure domain with no trust to the domains used at VMs?

foggy
Veeam Software
Posts: 18448
Liked: 1589 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by foggy » Mar 17, 2014 1:41 pm

Andreas, to restore passwords, Veeam Explorer for Active Directory requires SYSTEM registry hive from the corresponding DC to be available. If it cannot be located automatically in its default location (%systemroot%\System32\Config), make sure to put it in the same folder as the .DIT file.

Andreas Neufert
Veeam Software
Posts: 3971
Liked: 721 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Andreas Neufert » Mar 17, 2014 1:46 pm

Ah Ok... I am installing my domain controller files not in standard folder. In most cases in d:\NTDS but in my lab it is c:\NTDS. I will try again in the lab and let you know.

Gostev
SVP, Product Management
Posts: 25094
Liked: 3673 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Gostev » Mar 17, 2014 2:08 pm

Andreas, answering your earlier question, B&R server does not have to be a member of the domain, standalone server is fine.

Andreas Neufert
Veeam Software
Posts: 3971
Liked: 721 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by Andreas Neufert » Mar 17, 2014 2:27 pm

foggy wrote:Andreas, to restore passwords, Veeam Explorer for Active Directory requires SYSTEM registry hive from the corresponding DC to be available. If it cannot be located automatically in its default location (%systemroot%\System32\Config), make sure to put it in the same folder as the .DIT file.
That was the problem, thanks foggy.
I copied the System and system.log to the NTDS folder (at my lab c:\VeeamFLR\AD\Volume1\NTDS while standard patch is I think c:\VeeamFLR\AD\Volume1\Windows\NTDS) and it worked.
Is it possible to change SYSTEM access (autodetect) of VEAD tool so that it can work automatically in situations where NTDS is not at default path?

raphael@schitz.net
Veeam Vanguard
Posts: 66
Liked: 2 times
Joined: Jul 25, 2009 12:14 am
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by raphael@schitz.net » Mar 17, 2014 2:46 pm

foggy wrote:Andreas, to restore passwords, Veeam Explorer for Active Directory requires SYSTEM registry hive from the corresponding DC to be available. If it cannot be located automatically in its default location (%systemroot%\System32\Config), make sure to put it in the same folder as the .DIT file.
Thanks foggy, that worked fine for me.
I know this sounds stupid but i restore a user account twice and i found that you can restore and overwrite an existing object without any prompt. I think that would be safer to warn if it already exists.
Thanks a lot for this great tool VeeaM!

BearHuntr
Enthusiast
Posts: 26
Liked: 3 times
Joined: Jan 01, 2006 1:01 am
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by BearHuntr » Mar 17, 2014 3:33 pm

My B&R server is Server 2012, my DC is 2008 R2, functional level is 2003, our domain is part of a larger Forest. I've installed VEAD on the B&R server and initiated a FLR from my DC's last backup, browse to the ntds.dit, which is in C:\Windows\System32 and left the logs folder at C:\Windows\System32 as well and I get a "Root subobjects structure not found" error. Any ideas? Thanks!

foggy
Veeam Software
Posts: 18448
Liked: 1589 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: [BETA] Veeam Explorer for Active Directory

Post by foggy » Mar 17, 2014 4:22 pm

Probably the domain structure is not quite typical. Could you please open a case with technical support with the [VEAD BETA] tag and post case ID here?

Locked

Who is online

Users browsing this forum: Google [Bot] and 28 guests