Data Protection for VMware provides back up and restore protection for VMs that host Microsoft Active Directory Domain Controllers in both stand-alone and clustered environments. A clustered environment contains multiple domain controllers that participate in Active Directory. This protection prevents USN rollback.
USN rollback is a condition that results from restoring the Active Directory domain controller in an improper manner. When the domain controller is locally restored, this condition prevents any of its changes from being replicated to other domain controllers. These changes are not replicated because the restored USN is earlier than the USN that is tracked by the other domain controllers. Similar changes on other remote domain controllers are not replicated back to the locally restored domain controller. As a result, the topology remains in an unsynchronized state.
To prevent USN rollbacks, Data Protection for VMware protects guest VMs in a clustered environment where multiple domain controllers participate in Active Directory replication. The backed up VM guest that hosts the Active Directory domain controller is recovered by implementing non-authoritative restore.
Non-authoritative restore recovers the Active Directory (or domain controller) to the version taken at the time of the backup. When the recovered Active Directory (or domain controller) is restored, it is updated with information from the other domain controllers through the existing replication process.
Environment requirements
Microsoft Windows 2008 (32-bit, 64-bit), Microsoft Windows 2008 R2 (64-bit), or Microsoft Windows Server
2012Important: To protect Active Directory on a VM guest that is running on Microsoft Windows Server 2012, one of the following levels of VMware are required:- VMWare vSphere 5.0 Update 2 (vCenter Server and ESXi must both be at 5.0 Update 2)
- VMWare vSphere 5.1 (ESXi 5.0 Update 2 or later)
- A current version of VMware Tools
must be installed and must be running on the VM guest at the time
that it is backed up. This VM guest must be powered on for Data Protection for VMware to detect
Active Directory. Otherwise, Active Directory will not be detected
and restore protection will be unavailable.
- The Data Protection for VMware Enablement
File must be installed on the vStorage Backup server for successful
restore of VMs that host Active Directory Domain Controllers.
- Backups that are created by Tivoli® Storage FlashCopy® Manager for VMware.
- Backups that are created by Data Protection for VMware and Tivoli Storage FlashCopy Manager for VMware.
- A Tivoli Storage Manager data mover that is installed on Linux.
- A file-level restore of Active Directory objects.
- During a full VM instant restore, instant access and instant verification are blocked when the Active Directory domain controller is detected on the VM backup to be restored and the VM guest is on Windows 2008 or Windows 2008 R2.
- Backup and restore of VMs running Active Directory Lightweight Directory Services (AD LDS) is not supported.
- Recovery of expired Active Directory tombstone objects is not supported. To help prevent Active Directory objects from expiring, run backups more frequently than the default tombstone life of 60 days.