Windows IT Pro Guest Blogs
How to Recover Group Policy Objects

How to Recover Group Policy Objects

Warning: Each new version of Veeam Backup & Replication comes with updated Veeam Explorer for Microsoft Active Directory, so it’s important to be aware of software versioning in order to know the scope of possible operations. Additionally, it’s generally a good idea to keep your Veeam infrastructure (and operating systems of VMs) at supported and recent versions.

We introduced Veeam Explorer for Microsoft Active Directory — a very helpful utility when it comes to AD objects recovery — as a part of Veeam Backup & Replication v8. Its initial functionality was intended to solve the most frequent cases administrators have with Active Directory: granular objects and containers recovery. (OK, password recovery also was included, as well as AD data export in LDIFDE format.) All of that made a lot of people happy, but, as always, they wanted more. The community gave us great feedback, asking for additional features for less-frequent cases or specific scenarios. Aside from the most frequent operations, like adding and removing users/computers to the domain, administrators have to deal with more advanced restore operations related to Group Policy Objects (GPO), DNS-integrated records, and so on. That said, we worked hard and added some new functionality to provide administrators with such options.

Starting from Veeam Backup & Replication v9, you can restore Group Policy Objects, and the process is very easy.

Note: Group Policy is a Windows Server feature (since Windows Server 2000) that allows an administrator to centrally manage the working environment of users and computers, allowing common policies to be configured from one place and then distributed at ease, while also controlling what users/computers can or cannot do.

In order to restore GPO, you have to make sure you are running the appropriate Veeam Backup & Replication version and that you have already taken a valid backup file of your Domain Controller (DC). The actual recovery procedure is like this:

  1. Administrator starts application-item restore for Microsoft Active Directory from the main ribbon or via the backups hive.
  2. Then, the administrator selects an appropriate backup point with a known valid state.
  3. Veeam Backup & Replication mounts that restore point to the backup server, extracting the Active Directory database and SYSVOL catalog, and automatically opens them in Veeam Explorer for Microsoft Active Directory.
  4. If all prerequisites are met, the administrator should be able to find the Group Policy Objects container right below the Users and Computers container.
  5. Then, the administrator finds a desired GPO manually or by using the search, and performs either the restore or export procedure. (Figure 1)

Figure 1. Veeam Explorer for Microsoft Active Directory: GPO options

Hint: As an option, the administrator can compare GPO attributes with the production state and see what exactly was changed. (Figure 2)

Figure 2. Veeam Explorer for Microsoft Active Directory: Comparing backed up GPO with production

Additional Improvements to Veeam Explorer for Microsoft Active Directory

Version 9 of Veeam Explorer for Microsoft Active Directory also adds support for the recovery of:

  • Active Directory-integrated DNS records (DNS integrated into Active Directory and replicated as a part of Domain Services replication)
  • Objects in Active Directory configuration partition (Native AD partitions containing forest-wide information about existing domains and sites' available services, which come per forest and are replicated to all Domain Controllers)

This is a huge step forward for experienced administrators who know what they’re doing. There is just one small trick you need to know to find this functionality: Within the restore operation, hit the Advanced Features button in the main ribbon to be able to see integrated DNS and configuration partition containers, which are normally hidden by default. (Figure 3)

Figure 3. Veeam Explorer for Microsoft Active Directory: Advanced features

With version 9.5, Veeam Explorer for Microsoft Active Directory got something new, as well. Since the general release was aligned with the release of Windows Server 2016, we spent a great deal of time making sure you have support for all of the new Active Directory version forests that run in the Windows Server 2016 functional level, as well as other enhancements. Now, using Veeam Backup & Replication 9.5, you can restore the following AD items (in addition to those previously mentioned):

  • Objects from forests running in the 2016 functional level and using Windows Server 2016 Directory Services for Active Directory (including user and computer account password restore)
  • Expiring links (export to LDF file, not available with LDIFDE utility, is included)

That is, obviously, great for new installations that are running all DC on Windows Server 2016 or Azure mixed domains. And the coolest part is that all of the above is working right out of the box, and you don’t even need to do anything extraordinary.

In conclusion, I can assure you that we were listening to your feedback while developing Veeam Explorer for Microsoft Active Directory, as well as our other products. Write comments below, or, even better, vote up the most wanted new feature you’re currently missing on Veeam forums so we can adjust our program development and provide you with new functionality in future software releases.

Have a great time managing your Active Directory better with Veeam!

Additional resources:

Andrew Zhelezko is a Veeam Technical Product Analyst who gained a strong understanding of Veeam products by working initially in Veeam technical support. This practical experience has helped him speak the same language as Veeam community members. His goal is to help others realize the beauty and power of virtualization. Follow Andrew on Spiceworks.

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish