Backup an AD - Is Snapshot a safe method now ?

[great_vc]

Hi,

I welcome myself and our company to a purchased full bundle of Backup & Replication , ONE, and Orchestrator. We are new here so please bare with us (me specifically) as a lot questions will appear in different forums

We (as many others) had VERITAS NETBACKUB. We used that to backup the AD with the agent of VERITAS. Now i know and read a lot of articles in the past about how bad is to do snapshots in AD because of the tombstone and many other frighting things. So i created job (https://www.veeam.com/blog/backing-up-d ... ction.html) for my PDC AD with application aware enabled, took 3 minutes(!) to backup it and it aw expected created a snapshot and upon finished it deleted it. I then check the backup with the magnificent and magic AD explorer and i could see the whole tree. It still magic for me not be able to restore the whole AD for one user

So to make things short, is the snapshot method safe ? What happens if for a reason the snapshot does not get deleted automatically ? Can their be any corrupt in AD due to snapshots. Have we bypass the rule "do not make snapshots in AD" nowadays.

Our AD is Windows 2012 R2 (multiple DCs) , but the functional level is 2008 R2 yet (don't ask).

Many thanks in advance.

Regards,
Vassilis

[Mildur]

Welcome to Veeam, you have done the right choice

for my PDC AD with application aware enabled, took 3 minutes(!) to backup it and it aw expected created a snapshot and upon finished it deleted it.

That is the correct way todo backups with Veeam. You should use Application Aware Backups for all vms.

Veeam will not corrupt the ad with this snapshots. Veeam will use the vss writer from microsoft todo the backups. That‘s the recommended and supported way.

If there is a issue with the snapshot deletion (vmware), veeam will use it‘s snapshot hunter to remove the snapshot as soon as possible of inform you about a failure.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110
https://helpcenter.veeam.com/docs/backu ... ml?ver=110


Last thing to say, configure surebackup jobs and your orchestrator to test your backups. You can do application level restore testing. That will give you a result if your ad is consistence in the backup files and can be restored if you need it.

SureBackup Jobs VBR
https://helpcenter.veeam.com/docs/backu ... ml?ver=110
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

Orchestrator Plans Testing
https://helpcenter.veeam.com/docs/vao/u ... tml?ver=40

[soncscy]

Heya Vassilis,

To add to Fabian's great answer, first, let's address the snapshot issue:

https://docs.microsoft.com/en-us/window ... -directory

What Microsoft forbids is using __snapshots as backups__. When you revert snapshots, you end up with USN rollback and that is what causes AD issues. Veeam doesn't do this -- it uses the snapshot as a means to do hot-backups of the VM while quiescing the base disk. So the VM continues to run on snapshot, the backup application (veeam) gets a quiesced disk to backup, where all of the applications have flushed all writes to disk and have no pending IO, and once the backup is done, the snapshot is consolidated (i.e., deleted) and it's as if the snapshot/backup never happened. Restores from such backups are as if you're just powering on a shut-down machine. (see point 1).

Veeam backups do two things that are very important:

1. An entire VM restore is basically the same as turning the machine back on after a power outage.
2. The Application Aware Processing (AAIP) __always restores AD/DC's as non-authoritative__.

The 2nd one is the most important part; a restored Domain Controller you backed up with AAIP will never be restored as authoritative, so if it goes back into a cluster, the restored DC will wait and find a source for replication instead of declaring itself authoritative. This is the __most important part__.

For individual AD objects, in most cases, you're just updating AD with a new object with the same content, but a new USN, so you avoid the USN rollback issues because it's just a new object really.

It's quite safe to use and saves a ton of time. Just always always always ensure AAIP is enabled and works for your AD backups. If you see a warning there, you need to address it right away.

[great_vc]

Thank you both for your so detailed and to the point answers!
I feel more confident now and more safe, i always use tha application aware that is the first thing that our veeam sales and support people told us on our Teams meeting. So i know it is working just wanted to make sure.

Thanks again, and i'll be back with more

Regards,
Vassilis

[Andreas Neufert]

Even if this would not be in place, Microsoft AD can handle now situations with Snapshot reverted servers automatically. I think it is in place since Win 2016 with Win2016 operations mode.