[BETA] Veeam Explorer for Active Directory

[Gostev]

Please welcome the new addition to our Explorer family, Veeam Explorer for Active Directory (VEAD). Just like other Veeam Explorers, VEAD performs exports and in-place recoveries of AD objects by drilling directly into the AD database (ntds.dit file), without the use of Virtual Lab.

VEAD supports search and restore of all AD objects types, including users, groups, computer accounts and contacts. It can restore individual object's attributes, the entire objects, and even the whole organizational units (along with the hierarchy). Of course, the deleted objects do not have to be present in the Recycle Bin, as we will obtain all the data from backup where the objects are still present in AD. More importantly, unlike many other Active Directory recovery solutions, we do not require that the tombstone of the deleted object is still present in AD. VEAD is also fully Microsoft Exchange aware, so when restoring the user account, we will restore all Exchange-related attributes and reconnect the mailbox. As you will see, this is a very comprehensive solution.

But, there is one more thing. VEAD also has the unique ability to recover passwords! Imagine accidentally deleting the entire OU with all your users. Without this feature, each user will be prompted to set the new password upon first logon, which is very disruptive and insecure. But this feature will come even more handy if you lose an OU with computer accounts! If you simply restore those back, computers will not be able to logon to the domain because of computer account password mismatch. Now, just imagine the nightmare of going to each computer, switching it into workgroup, and then joining it back into the domain... hundreds of times! This is when you will really appreciate this feature.

Interested? Download beta now (requires B&R 7.0), and post your feedback in this thread!

[UPDATE] Cumulative patch that addresses all issues reported on the beta code as of May 5th > ftp://vead:gBs4953r@supportftp.veeam.com/

[lp@albersdruck.de]

Installed the beta.

I can only start the standalone application, I did not find a way to use it from B&R Console when selecting a backup of an AD controller.
Do I have to extract ntds.dit and logs manually to explore them, or is there another way?

[Gostev]

You are quick!

There is no need to extract AD database file. Instead, just initiate file level recovery for a domain controller backup, and the guest file system will be mounted locally on the backup server to C:\veeamflr folder. After that, browse into that folder with VEAD and open ntds.dit .

Of course, once this becomes generally available as a part of v8, you will not perform these manual steps. It will "just work" as with other existing Explorers.

[scott.anderson]

Looks like the Windows version is going to be important.

I've tried the AD Explorer and its working nicely where

Our Veeam server is a 2008R2.

AD is 2008R2, and the DC that I'm running the recovery for is also 2008R2.

However we also have a 2012R2 DC as well. Recovery from this DC fails.

"The specified database cannot be opened on this OS version"

Does this mean that you need to match your Veeam server to the OS of your DC's?
What happens in a mixed OS DC setup?

[lp@albersdruck.de]

You are quick!

There is no need to extract AD database file. Instead, just initiate file level recovery for a domain controller backup, and the guest file system will be mounted locally on the backup server to C:\veeamflr folder. After that, browse into that folder with VEAD and open ntds.dit .

Of course, once this becomes generally available as a part of v8, you will not perform these manual steps. It will "just work" as with other existing Explorers.

Just FYI: if you searched where to find this, take a look at registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on your AD controller- the path to ntds.dit is there.

It seems to work so far. One small thingie: double clicking the top left icon of the window to close it does not work, it just maximizes/restores the window.

[gkennedy]

I have just used this to restore a user to AD right now, which is insanely good timing.

Worked perfectly - what an awesome tool.

Cheers,
Gavin

[Andreas Neufert]

Is Win2003 SP2 in Win 2003 AD mode supported?
Is Win2012 R2 in Win2012R2 AD mode supported?

[Templaar]

Works perfect on Windows 2012 AD.

Great job guys.

[Vitaliy S.]

Does this mean that you need to match your Veeam server to the OS of your DC's?
What happens in a mixed OS DC setup?

Not exactly, currently if you need to open a Windows 2012 R2 DC, then Explorer should be launched either on Windows 8.x or Windows 2012 R2 machine.

Is Win2003 SP2 in Win 2003 AD mode supported?
Is Win2012 R2 in Win2012R2 AD mode supported?

Both of these configurations should work fine.

[Battlestorm]

Just opened a backup an ntds.dit from a Win2012R2 DFL/FFL domain on another box running 2012R2 so it opens 2012 R2

[Kostya]

Looks like the Windows version is going to be important.
...
However we also have a 2012R2 DC as well. Recovery from this DC fails.
"The specified database cannot be opened on this OS version"

Does this mean that you need to match your Veeam server to the OS of your DC's?
What happens in a mixed OS DC setup?

If you want to open Windows 2012 or Windows 2012 R2 AD database, you have to have Explorer for Active Directory installed on Windows 2012/8 or later.

[TommyB]

Very nice feature - already downloaded and try this sometimes this week...

Is there already any list of other features and enhancements for Veeam 8?

I'm especially interested in improvements regarding media handling for tape backup (e.g. more granular email notifications, eject on full tape)

[veremin]

No, there is no such a list at the moment.

As to your feature requests, you can post them in the corresponding tape subforum or in the existing topics regarding similar questions.

Thanks.

[tdewin]

Just FYI: if you searched where to find this, take a look at registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on your AD controller- the path to ntds.dit is there.

Thanks for that , here is a powershell script to connect to your core instance

Code: Select all

$server = "ad02"
Invoke-Command -computer $server { Get-ItemProperty -path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\" }

[DaveBristolIT]

Hi Gostev,
This is possibly about to save our bacon. One of our technicians has deleted the entire tree: Configuration/Services/Microsoft Exchange instead of one of the sub trees. (http://www.msexchange.org/img/upl/image ... 813890.jpg)
I've installed VEAD, started a FLR and have mounted the database file successfully - but we can't see the "Configuration" section as it is hidden by default and there is no way of typing in what you'd like to open!
do you have a fix for this that we can apply in the next couple of hours, or should I return to the old UAIR wizard?

Many thanks;
Dave

[PR1]

Domain controller is windows 2008 R2, Veeam B&R is on windows 2012, can open the ntds.dit file, but its displaying containers from our "parent" domain, cannot see our domain or our OU's ???

[foggy]

Paul, are you sure you're opening database on the child domain controller? I believe that domain controller on the parent domain does not contain information on its child domains.

[foggy]

I've installed VEAD, started a FLR and have mounted the database file successfully - but we can't see the "Configuration" section as it is hidden by default and there is no way of typing in what you'd like to open!

Dave, unfortunately, restoration of objects from Configuration partition is not currently available.

[DaveBristolIT]

Ah that's a shame
+1 for this feature please!

I don't suppose someone can tell me if I can do this using the AD Restoration UAIR tool, or am I wasting my time with that as well? I'm not fancying an authoritative restore at this time of the morning!

Thanks muchly!
Dave

[foggy]

As far as I remember, AD AIR also works with Domain partition only.

[AMS]

Just tested the VEAD with B&R on Windows 2012R2. AD on Windows 2012. VEAD lists all objects and properties of objects. When I go to perform a "restore to DOMAINNAME", I am getting "the supplied credential is invalid" error. The B&R server is not in the AD domain and therefore, the "Restore To" option needs to be selected where I can enter credentials for the proper domain. The restore worked perfectly in this scenario.

[Andreas Neufert]

When mapping a domain file, the button says "Recover". Maybe it´s better to rename it to "mapp" or "select" because someone can be confused and think that the whole DB will be recovered when they click it.

[Andreas Neufert]

Warning: Security information is not available for domain 'S-1-5-21-3715182976-4200736805-4064554889', password will not be restored.

My B&R Server is not member of the Domain (Standalone Server). Is this the problem? Is there a workaround for it, because in many cases the B&R Server are member of a infrastructure domain with no trust to the domains used at VMs?

[foggy]

Andreas, to restore passwords, Veeam Explorer for Active Directory requires SYSTEM registry hive from the corresponding DC to be available. If it cannot be located automatically in its default location (%systemroot%\System32\Config), make sure to put it in the same folder as the .DIT file.

[Andreas Neufert]

Ah Ok... I am installing my domain controller files not in standard folder. In most cases in d:\NTDS but in my lab it is c:\NTDS. I will try again in the lab and let you know.

[Gostev]

Andreas, answering your earlier question, B&R server does not have to be a member of the domain, standalone server is fine.

[Andreas Neufert]

Andreas, to restore passwords, Veeam Explorer for Active Directory requires SYSTEM registry hive from the corresponding DC to be available. If it cannot be located automatically in its default location (%systemroot%\System32\Config), make sure to put it in the same folder as the .DIT file.

That was the problem, thanks foggy.
I copied the System and system.log to the NTDS folder (at my lab c:\VeeamFLR\AD\Volume1\NTDS while standard patch is I think c:\VeeamFLR\AD\Volume1\Windows\NTDS) and it worked.
Is it possible to change SYSTEM access (autodetect) of VEAD tool so that it can work automatically in situations where NTDS is not at default path?

[raphael@schitz.net]

Andreas, to restore passwords, Veeam Explorer for Active Directory requires SYSTEM registry hive from the corresponding DC to be available. If it cannot be located automatically in its default location (%systemroot%\System32\Config), make sure to put it in the same folder as the .DIT file.

Thanks foggy, that worked fine for me.
I know this sounds stupid but i restore a user account twice and i found that you can restore and overwrite an existing object without any prompt. I think that would be safer to warn if it already exists.
Thanks a lot for this great tool VeeaM!

[BearHuntr]

My B&R server is Server 2012, my DC is 2008 R2, functional level is 2003, our domain is part of a larger Forest. I've installed VEAD on the B&R server and initiated a FLR from my DC's last backup, browse to the ntds.dit, which is in C:\Windows\System32 and left the logs folder at C:\Windows\System32 as well and I get a "Root subobjects structure not found" error. Any ideas? Thanks!

[foggy]

Probably the domain structure is not quite typical. Could you please open a case with technical support with the [VEAD BETA] tag and post case ID here?