I've been working as a sysadmin for over 15 years, mainly in Microsoft and Windows environments, and until now, I haven't really had proper backups for Active Directory—just backing up the domain controllers and using the AD Recycle Bin. Most of the places I've worked in have been small with single domains and only a few domain controllers, so I haven't had to deal with complex structures like multi-domain forests.
Now, I've started a new job about nine months ago, and we've been making significant improvements to our backup strategies while also cutting costs. The previous team experienced a major AD disaster before I joined, which led to a lot of hard work rebuilding domain controllers.
In light of this, we're now considering actual AD backups and I'm a bit confused about how much we really need. We're looking into Commvault because it handles our 365 and Azure backups as well. They offer two versions: one seems like an advanced recycle bin option, and the other promises a full forest recovery.
I'm struggling to understand what additional benefits full forest recovery would bring us compared to just being able to restore objects from our basic AD backup or recovering one or more of our three domain controllers. Asking the sales team doesn't help much since they're focused on making a sale. Am I overanalyzing this, or is a comprehensive recovery solution necessary for our single-domain setup with just three domain controllers?
4 Answers
For a while, we've been just using some old scripts for system state backups in case we need a granular restore. So far, we haven’t had to actually use them—anything we can’t pull from the Recycle Bin hasn’t been critical. We also do full VM backups of one domain controller per domain in the forest just to cover our bases if something major happens. Honestly, if a DC fails, we generally just rebuild it.
Have you considered backing up to an Azure Recovery Vault? With immutable backups, you can recover your DC if needed. It simplifies recovery significantly. For a single DC setup, this could be a straightforward solution that lets you restore with just a few clicks, making it easy in case something goes wrong.
You might want to also look at Veeam or Rubrik for AD backups; it's always good to get some competitive quotes. They might have solutions that fit your needs better. Remember, a lot of companies don't have AD backups at all, so depending on what they're doing might give you some perspective. I feel your concern about over-investing—it's crucial to balance cost with what you actually need for recovery.
Specifically, consider how many times you genuinely have to restore objects from AD—if it’s rare, maybe the simpler options will suffice.
Backing up the entire VMs with Veeam might be the simplest path forward for you. If your AD ever goes down, just restore the VM. It's straightforward, and depending on your infrastructure, it could save you a lot of hassle compared to a dedicated AD backup solution.
That sounds like a solid plan, but are there specific scenarios where this wouldn’t work well? I'd love to hear more about the drawbacks if there are any.