Showing results for 
Search instead for 
Did you mean: 

Best Practices to protect Active Directory

Employee Accredited Certified

Active Directory (AD) is a directory service that runs on Windows server operating system. AD allows administrators to manage permissions and control network access. AD consists of several objects like Users, Groups, devices, and applications.

For a network administrator, protecting Active Directory is one of the most important tasks. Incidents such as ransomware attacks, system corruption, accidental deletion of an Active Directory component (e.g. User, Organizational Unit, Computer, printer, or a file share), or a complete server disaster can affect the business continuity. To maintain an uninterrupted network service, backing up the Active Directory server is of utmost importance.

Several companies were affected by the NotPetya ransomware in 2018, and one of the companies faced losses up to $300 million. The master boot records of the Active Directory server were affected, making it unusable and unrecoverable.

Backup Exec offers some of the best features for backup and restore of an Active Directory server.    

How to protect your active directory using Backup Exec:   

  • Include the System drive and System state in the backup.
  • Backup of AD Virtual Machine is also supported in BackupExec (for more details, see the Backup Exec 21 Administrator's Guide - Appendix C)
  • With Backup Exec Granular Recovery Technology (GRT) we offer you single user restore, group, DL, or even a single attribute for an Active Directory object from system state backup, Without the need of a full Active Directory server recovery.

Fig. 1 – Backup Exec Active Directory GRT optionFig. 1 – Backup Exec Active Directory GRT option

 Restoring individual objects in Active Directory:

After a successful backup of the system state, you can now restore a single object in Active Directory. This feature is useful when there is an accidental deletion of individual object(s) from ‘Active directory users and groups.’

Fig. 2 – Backup Exec restore view for individual objects.Fig. 2 – Backup Exec restore view for individual objects.

Note: After the user is restored, you need to reset the password and enable the account.

Disaster Recovery of an Active Directory server:

 Disaster Recovery of Active Directory server is required in the below scenarios,

  1. Active Directory is down but the OS is up and running, then
    • Boot the server in Directory Services Restore Mode (DSRM).
    • Login using the local administrator credentials.
    • Create a restore job in Backup Exec, select only system state component, and run the restore using local admin credentials. Do not select system drive as the OS is not affected.
    • Once the restore completes, Reboot the server.

Note: In case you have more than one domain controller, you may need to run Ntdsutil.exe

MS reference for  Ntdsutil.exe -

Fig. 3 – Shows the System state components for an Active Directory Server.Fig. 3 – Shows the System state components for an Active Directory Server.

  1. Active Directory is up and running but Windows OS is corrupted.
    • Restore the C drive and System state (Excluding the Active Directory component).
    • Once the restore completes, Reboot the server.
  1. OS does not boot

This covers most of the backup and recovery scenarios for Active Directory required by an administrator.

Further Reading

For more information on this topic, check out our online copy of the Backup Exec 21 Administrator's Guide.

Get More Help

If you are facing a problem with Backup Exec and looking for assistance, you can contact Veritas Technical Support for Backup Exec, or join the conversation on the VOX BE Community.

If you wish to try Backup Exec free in your environment, please visit

Level 1

So it is only about backups? Not about how to deal with dos attacks?

And how to deal with this issue?

Employee Accredited Certified
Backup Exec provides data protection across physical and virtual machines by protecting your backups and backup servers from external attacks. If you would like to talk to Veritas experts about a specific scenario, join us on the VOX discussion board: Backup Exec - VOX (