Overview - Active Directory iDataAgent

Choose from the following topics:

• Introduction
• Supported Data Types
• Tree Levels in the Active Directory iDataAgent
• License Requirement
• iDataAgents for Active Directory Server
  • AD LDS/ADAM Attributes
• Disaster Recovery Considerations

Introduction 

The Active Directory iDataAgent provides a feature set above what a system state backup can provide. The Active Directory iDataAgent is designed to give granular backup and restore of individual Active Directory attributes.

Supported Data Types

Data Protection and Data Recovery Operations can be performed for Active Directory objects on a domain controller or AD LDS/ADAM attributes.

The following data types are supported by the Active Directory iDataAgent: 

• Attributes on each supported Windows object
• Computer
• Contact
• Group
• IntetOrgPerson
• MSMQ Queue Alias
• Organizational Unit
• Printer
• User
• Shared Folder
• Configuration
• Schema
• ForestDNSZones

Non-modifiable attributes of an object

Active Directory iDataAgent backs up modifiable and non-modifiable attributes. Active Directory iDataAgent does not restore the following non-modifiable attributes as they are controlled by Active Directory:

• ObjectGUID
• ObjectSid
• PrimaryGroupID
• BadPasswordTime
• LastLogoff
• LastLogon
• MemberOf
• PwdLastSet (only if adldaptool.exe was executed before the backup)
• USNChanged
• USNCreated
• WhenChanged
• WhenCreated
• DistinguishedName
• UserAccountControl

Data Protection Operations for all other data types not mentioned in the above lists are not supported by the Active Directory iDataAgent.

While restoring the Active Directory partitions, consider the Restrictions on Schema Extensions.

Back to Top

Tree Levels in the Active Directory iDataAgent

When the Active Directory iDataAgent is installed, the following levels are automatically created in the CommCell^® Browser:

pear: Client Active Directory: Agent defaultBackupSet: Backup Sets	default: Subclients

Back to Top

License Requirement

To perform a data protection operation using this Agent a specific Product License must be available in the CommServe^® Server.

Review general license requirements included in License Administration. Also, View All Licenses provides step-by-step instructions on how to view the license information.

Back to Top

iDataAgents for Active Directory Server

There are two ways to secure Active Directory objects on Windows Servers:

1. The Windows 2000 and Windows Server 2003 File System iDataAgents secure the File System and System State data on each Active Directory server. System state includes the Active Directory database.
2. The Active Directory iDataAgent allows you to perform in-place restores of Active Directory attributes for existing objects to the original path within the same Active Directory tree, using the same Active Directory server from which the data was backed up.
   • For clients running Windows 2000, should the object not exist in the destination tree (i.e., a user has been deleted), the software re-creates the object in order to restore its attributes, which creates a new SID for the object.
   • For clients running on Windows Server 2003 32-bit, the Active Directory iDataAgent can perform an undelete of the object, maintain the original SID, and restore its attributes providing the adldaptool.exe utility has been run prior to backing up the object.

     When you delete an object in Active Directory, the object is stripped of most of its attributes and moved to the deleted object folder (which is hidden and consequently not backed up). During a restore, the system undeletes the object and restores all of its attributes.

When restoring the attributes of an undeleted object on Windows Server 2003, the system brings back the user account as enabled, but the operating system security marks it as disabled. You will be prompted to reset the password upon the next log on. However, if you have run the adldaptool.exe utility prior to backing up the Active Directory, the passwords will be restored and there will be no need to reset them. See Backup - Active Directory for more information.

The following example shows the iDataAgents needed to fully secure a hypothetical heterogeneous computing environment.

AD LDS/ADAM Attributes

ADAM attributes can be protected and recovered in the same way as any other Active Directory attribute.

During installation of the software, any existing ADAM attributes are automatically discovered and assigned to the default subclient, provided the credentials for each instance are identical. Instances may then be added or removed at a later time as you would any other instance.

Active Directory Application Mode (ADAM) for Windows Server 2003 R2 has been renamed to Active Directory Lightweight Directory Services (AD LDS) for Windows Server 2008.

Disaster Recovery Considerations

• Before you use your agent, be sure to review and understand the associated full system restore (or disaster recovery) procedure. The procedure for some agents may require that you plan specific actions or consider certain items before an emergency occurs.  See Disaster Recovery for more information regarding your agent.

Back to Top