How to Backup Active Directory Hosted on the AWS Cloud – Part 2

n2wsWith the popularity of the cloud increasing, enterprises seek to use its scalability to meet their production as well as dev/test environment’s needs. In the first article of this series, we discussed the built-in backup and restore process for Windows Active Directory (AD). In this article, we will demonstrate how to backup and restore Active Directory in AWS using Cloud Protection Manager (CPM).

Active Directory with AWS

Let’s consider two existing use case scenarios for Microsoft Windows Server Directory Services (DS) in Amazon EC2.

  1. New Active Directory Domain Services (AD DS) Domain Controller in EC2
    Say a customer wants a centralized, cloud-based authentication mechanism for an application. By implementing Directory Service in Windows Server with Amazon EC2, authentication can be easily streamlined with the application as well as with other AWS services.
  2. Extending an Existing AD DS Corporate Environment in EC2

Nowadays, many customers want one domain controller on-premises and another extended to a cloud, like AWS.

Due to the fact that we show the AD backup and restore processes in the Amazon cloud in this article, we will not focus on AD setup. Setting up AD in the AWS cloud is easy if you have a good understanding of AWS services.
AWS provides two ways of performing persistent data backup. One option is via AWS snapshots and the other is via AWS AMIs. For the sake of this article, we will discuss AWS snapshots for persistence. As mentioned above, we will use CPM to back up the snapshots. CPM is a full-featured enterprise-class backup, recovery, and disaster recovery solution for Amazon EC2 instances, EBS volumes and RDS databases, utilizing AWS native EBS and RDS snapshots.

CPM is operated from a CPM Server – an application running on an EC2 instance within your environment that directly connects to your AWS infrastructure to perform backups.

Creating an Amazon EBS Snapshot of an Active Directory Server

Amazon EBS snapshots offer one-click backup and restore of EBS volumes. These are known as crash consistent snapshots. EBS snapshots create an incremental backup; if you take snapshots of a volume at regular intervals, it only takes the data that was modified since the last backup. Even though snapshots are saved incrementally, the snapshot deletion process is designed so that AWS internally retains the blocks that are referenced by the existing snapshot in order to restore the volume data from the respective snapshots.
You can take a snapshot of a volume attached to an instance that is in use, but AWS recommends detaching the volume or stopping the instance during snapshots. This is because snapshots only capture data that has been written to your Amazon EBS volume when the snapshot command is issued. Sometimes this results in inconsistent data because it might exclude data that is cached by applications or the operating system. It is recommended to pause file writes to the volume long enough to take a snapshot before taking a snapshot–this will make your snapshot application consistent.

The sample screenshot below shows how to take a snapshot from the EBS console.
n2ws
Next, we’ll explore how to back up an AD server running on Windows 2012 Server with CPM.

Backup and Restore Using CPM

CPM allows you to automate, control, and maintain the backup and recovery of critical instances and volumes, set RPO objectives, improve your disaster recovery plan, and introduce retention management policies to better control backup operation costs. It provides a very simple web interface to manage your EC2 or RDS backup operations. Backup is of utmost importance to any administrator in order to achieve continuous uninterrupted productivity in the event of data malfunction or a disaster. The availability of an automated  backup and recovery option will help reduce both efforts and costs.  CPM comes in handy here as it offers an advantage on top of Amazon services, making administrators’ lives easier through automated backup and quick restore.
CPM has many features that make it a suitable option for backing up Windows Server. One such feature is flexible backup policies that are created by users based on need, and keep retrying in case of failure. It also offers a feature that allows you to copy EBS snapshots to other regions. You can restore a complete backup with one click.
Now, let’s discuss how to back up your AD configured on Windows 2012 running on AWS with CPM.

Setting up CPM

CPM allows you to create backup policies and schedules. These are used to identify the objects (instances/volumes/RDS) you want to back up and schedule when backups should be performed. You can see the AWS account credentials that we used to set up our CPM account below. It is recommended to create an IAM login with AWS that holds the required permissions instead of providing your root account credentials.

Setting up Backup Configuration in CPM
You are required to configure a backup schedule as well as a policy.
n2ws
Set the AD instance as the backup target.
n2ws

CPM enables you to create VSS backup the same as in the Windows VSS feature. Shadow Copy (also known as Volume Snapshot Service, Volume Shadow Copy Service or VSS) is a technology from Microsoft Windows that allows you to take manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. The concept of VSS is to freeze applications that use multiple volumes.

CPM only supports VSS on Windows 2008 or 2012 servers. CPM uses the “System Provider” to perform shadow copies. This process is very simple — when CPM creates a backup, the CPM Thin Backup Agent asks the system provider to create shadow copies of all relevant volumes. In which case, differential copies are created; only changes made since the beginning of the backup are copied and not the complete data of the volume. It is recommended to enable VSS in the policy and install CPM’s VSS agent in your Windows instance. The VSS agent is available to download as part of your CPM service. However, in many cases, you will not need to do anything. By default, VSS will take shadow copies of all of the volumes.
You can also monitor your backup jobs and check if backups are running correctly without any error using a built-in backup monitoring tool.
n2ws
You can also view the log file.
n2ws
The VSS shadow copies’ object names with CPM in the recovery panel.
n2ws

Restoring Backup

CPM is not only useful for backups, it also very quickly and powerfully restores AD to a stable data snapshot with a single click. The example provided here was performed with one DC. If there are multiple DCs in the network, you should be careful when restoring AD because as soon as one of the new DCs is up, it will start replicating with other servers. This can cause issues, especially if the original DC is still up and running. Sometimes it is recommended to recover the DC in a sandbox, without network connectivity with other servers.
If, for any reason, user data is removed and the administrator wants to restore AD to a previous stable data snapshot, CPM can come in very handy because it takes  snapshots at regular intervals throughout a policy.
The screen below shows the configured users in Active Directory.
n2ws
If, for whatever reason, user 1 is deleted and you want to restore it, you can restore a backup.
n2ws
You can easily recover a volume or instance from the CPM Recovery Panel with a single click. To restore a backup, click the ‘Recover’ option as shown below.
n2ws
Once the instance is recovered from the snapshot, the deleted user appears again.
n2ws

Final Note

As shown in the first part of this article, backing up Active Directory is complicated and some level of expertise is required to restore the backup.  Amazon provides a good feature that allows you to take block level backups, called EBS; taking EBS snapshots is easy but does require manual intervention each time you want to create a backup. Taking the criticality of AD in any environment into consideration, we advise incorporating manual intervention when performing AD backups.

CPM provides a good feature to take automated backups at regular intervals. In addition, CPM’s VSS feature adds a higher level of reliability and consistency to your critical production environment.

Share this post →

You might also like: