Forum Discussion

Nicolas_Horchow's avatar
12 years ago

Is Netbackup V-ray able to do granular backup of Active directory ?

Hello,

After reading a couple of documents including news and Symantec data sheets about Netbackup 7.5, it looks like V-ray is supposed to grannulary backup AD like Exchange, Sharepoint and SQL.

There's not so many docs about how to setup this as by default AD backup is included with shadows/VSS backups.

I'm able to do grannular backups in VMWare policies, so I can see my SQL databases, but nothing about AD.

As someone has some info about this ? Is it working ? Is it a marketing mistake in the data sheets and Symantec powerpoints ?

Thanks for your feedback,

NH

  • VMware - Virtualizing existing domain controllers:
    "It is not a recommended practice to snapshot a virtual machine running as a Domain Controller. If the VM is running a Windows Domain Controller, then snapshots are not supported by Microsoft."

    VMware White Paper - Virtualizing Windows Active Directory:
    "Once again, to ensure database version and USN consistency, do not use snapshots or REDO disk modes for domain controllers."

    Microsoft - How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2:
    "Starting a previously saved virtual hard disk image of a domain controller. The following scenario can cause a USN rollback:
      ...
    Create a snapshot or alternative version of the virtual hosting environment."

    "Microsoft does not support any other process that takes a snapshot of the elements of an Active Directory domain controller's system state and copies elements of that system state to an operating system image. Unless an administrator intervenes, such processes cause a USN rollback. This USN rollback causes the direct and transitive replication partners of an incorrectly restored domain controller to have inconsistent objects in their Active Directory databases."
     

     

     

    Since VMware policies actually takes snapshots of the VMs for backup (via the vStorage API), all of the above should paint a pretty clear picture that backing up AD/DC this way is not recommended or supported by anyone, including NetBackup.
    NetBackup's only documented (i.e., supported) way of backing up AD/DC is via the System State or Shadow Copy Components directives.
     

  • VMware - Virtualizing existing domain controllers:
    "It is not a recommended practice to snapshot a virtual machine running as a Domain Controller. If the VM is running a Windows Domain Controller, then snapshots are not supported by Microsoft."

    VMware White Paper - Virtualizing Windows Active Directory:
    "Once again, to ensure database version and USN consistency, do not use snapshots or REDO disk modes for domain controllers."

    Microsoft - How to detect and recover from a USN rollback in Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2:
    "Starting a previously saved virtual hard disk image of a domain controller. The following scenario can cause a USN rollback:
      ...
    Create a snapshot or alternative version of the virtual hosting environment."

    "Microsoft does not support any other process that takes a snapshot of the elements of an Active Directory domain controller's system state and copies elements of that system state to an operating system image. Unless an administrator intervenes, such processes cause a USN rollback. This USN rollback causes the direct and transitive replication partners of an incorrectly restored domain controller to have inconsistent objects in their Active Directory databases."
     

     

     

    Since VMware policies actually takes snapshots of the VMs for backup (via the vStorage API), all of the above should paint a pretty clear picture that backing up AD/DC this way is not recommended or supported by anyone, including NetBackup.
    NetBackup's only documented (i.e., supported) way of backing up AD/DC is via the System State or Shadow Copy Components directives.
     

  • As RLeon says it may not be best practice - but in any case as yet there is no such option - the granular technology is for Exchange, SQL and Sharepoint only - all of which use the Symantec writers and not the Microsoft ones (so when it eventually comes it probably will be OK as it does not use the MS writers to do such backups)

    I do have the feeling it will come soon - but it not here yet

  • I will add that although using the System State or Shadow Copy Components directives actually do trigger VSS snapshots inside the guest OS, from the last kb in my previous post, it is probably counted as supported by Microsoft:

    "The only supported way to roll back the contents of Active Directory or the local state of an Active Directory domain controller is to use an Active Directory-aware backup and restoration utility to restore a system state backup that originated from the same operating system installation and the same physical or virtual computer that is being restored."

    But as Mark put it, the VMware method could be supported in the future. Hopefully we won't have to wait until Netbackup 8 comes out.

  • Hello, Thanks for your feedback, but again, the info is coming from Symantec : http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-symc_netbackup_7.5_DS_21219459-2.en-us.pdf Page 7 Symantec NetBackup with V-Ray Granular Recovery Technology Symantec NetBackup with V-Ray gives patent-pending Granular Recovery Technology the visibility into virtual and physical environments to enable fast recovery of files, email, and other granular objects from environments such as Microsoft Exchange, Active Directory, SharePoint... And you shoulg find ppt which mentionned the same thing... That's why I was wondering I should be able to V ray my VM :) regards, NH
  • Support is also lost. They also agreed that communication is not really clear about what is possible and what is not. So to sum up, it looks to be impossible as-is. In fact VMWare backup with application support is not really easy : you must install and setup all the client suite to make it work. (manual installation, updates, OS addons like NFS, service username,...) That's a pity, we were planning to use VM backup for our test and dev VM, and thanks to auto selection, it was really easy to add or remove a machine, but as soon as you wanted to go deeper (to V-Ray) : it becomes awfull ;) Thanks for your feedback, NH
  • If you go through the MS kb, you will find that the USN rollback problem is only applicable if you have more than one dc. Therefore if you are running a standalone dc then the problem does not apply.

    This is similar to the limitation with the VMware policy type plus GRT for MS SQL.
    You will find that Netbackup really only supports standalone VM SQL servers in this case.
    If the VM SQL server is configured as clustered or mirrored, then you will still have to use the traditional Nbu SQL agent/client backup method.

     

    The following is from a non-public document.
    The document made no mention of AD/DC. I'm merely using SQL as an example to show that it only really works properly when the VM is a standalone server.

    Perhaps you could try to ask your Symantec representative for a copy; or someone here could help point you to some public sources with the same information.
    Sorry about this. I tried but I couldn't find any public references.

    NetBackup 7.5 Feature Briefing - Application Protection for VMware Virtual Machines:
    VM MS SQL Server section:

    Backup restrictions
      No differential (BLIB) backup support
      No clustering support
      No mirroring support

     

    When your application inside a VM is clustered (in a broad sense), the other thing to consider is which of the following recovery target are you aiming to achieve by using a VMware snapshot backup:

    1. After a complete VM restore, both the OS and the App works properly.
    2. After a complete VM restore, only the OS is healthy, and it is acceptable that the App will have problems and will need additional work done to fix and resume service.
    3. Complete VM restore or recovery is not needed, only GRT (granular) App level objects such as DBs or OUs will ever be restored from the VM backup.

     

    1. and 2. are disaster recovery, 3. is not.
    Unless your App (SQL, AD, etc) is running in standalone mode, you will not get 1.
    If your App is clustered, 2 will be the likely outcome if you restore the entire VM.
    If you go for 3. then you will not have the USN problem because you should restore the AD objects back to the Primary and not the Secondary DC anyway. In this sense (plus when running standalone configs), Netbackup is capable of protecting MS AD with a VMware backup.

    When they say it is not supported/recommended, VMware and Microsoft are probably referring to trying to achieve 1. in clustered mode.

    I hope I'm making sense.

  • Snapshots and Clonening fully supported in vmware 5.0 Update 2 and 5.1 on Windows Server 2012

  • Thanks for the info. This is good to know. If MS supports it for server 2012, then so would VMware and then probably NetBackup, officially.

    From one of the first Google results:
    http://blogs.technet.com/b/askpfeplat/archive/2012/10/01/virtual-domain-controller-cloning-in-windows-server-2012.aspx
    "Until now, cloning, snapshotting, copying, or pretty much doing anything but rebuilding from scratch to a virtual domain controller wasn't just unsupported...
    ...
    Starting in Windows Server 2012, we now support DC cloning as well as snapshot restoration of domain controllers. With the RTM bits available"
     

  • Hi Nicolas,

    I don't think your post that you have marked as solution is really a solution to your initial question, I think you should have given some credit to RLeon.

  • Hello,

    Sorry, but question was more focused on the netbackup feature, and not really AD, MS or VMWare feature.

    I 100% agree that it is easy to blow an AD, but it can be also really convenient to backup as is AD servers.

    For instance we use this to do point in time restoration and check differences between live production and previous state. Even if we have granular recovery we never used it in production environement.

    So the answer is : no AD granular backup with V-ray during VMware policies.

    Regards,

    NH