Blackbird recovery for AD is a module of the Blackbird Management Suite, which consists of Blackbird auditor for AD (real-time auditing for Active Directory), Blackbird auditor for Windows File System (real-time file system auditing), Blackbird privilege explorer for Windows File System (access rights reporting), Blackbird protector (protection against AD modifications), and Blackbird privilege manager (workflow based management of AD privileges).
Latest posts by Michael Pietroforte (see all)
- Set Windows 10 Ethernet connection to metered with PowerShell - Tue, Sep 27 2016
- Disable updates in Windows 10 1607 (Anniversary Update) using Group Policy - Wed, Sep 21 2016
- Fundamentals of Azure, Second Edition - Get your head in the cloud - Tue, Sep 13 2016
This suite is not just a collection of Active Directory and Windows file system tools. Essentially, it is one big management tool with different modules that are tightly integrated. Each module can be purchased separately. In this article series, I will only cover Blackbird recovery, the Active Directory backup module.
Today, I will outline why it makes sense to have a specialized Active Directory backup tool. Most organizations secure their Active Directory data with a common backup tool that is also used to back up file systems, databases, E-Mail, etc.
Blackbird recovery does not really compete with these solutions because they usually have a different purpose. While the AD agents of common backup solutions are often only for disaster recovery—that is, the recovery of a whole Active Directory domain or forest—Blackbird recovery's main purpose is for restoring individual or multiple AD objects and attributes in case of a user error or an application malfunction.
Even if a conventional backup tool supports granular recovery, you usually can only restore the data from the last backup. In comparison, Blackbird recovery allows you to restore the previous state of a particular object at any point in time. That is, the backup software supports continuous data protection (CDP) for Active Directory.
In my experience, AD disaster recoveries are rare because Active Directory is very robust. Even if one of your domain controllers goes down because of a hardware malfunction, you still have "backups" of your directory database on other domain controllers.
On the other hand, Active Directory is an essential service in every Windows network. Not only does Windows rely on it, but many third-party applications depend on it as well. And this is where the problems begin. Applications, admins, and even end users store data into the directory all day. This is why errors are inevitable. As with file system backups, most restores are required not because of hardware malfunctions but because of user mistakes or application errors.
Of course, you don't want to restore your whole Active Directory just because your great new PowerShell script that was supposed to automate a tedious administration task wreaks havoc and "automatically" destroyed half of your directory. An Active Directory disaster recovery, where the complete database has to be restored, is quite complicated and usually shuts down your whole IT infrastructure for the time of the recovery process.
Furthermore, even if your backup software supports restores of individual objects without downtime, you will most often only get one-day-old data. This might still prevent a disaster, but it could also mean that you will lose essential data and most certainly your brilliant automation efforts won't stay unnoticed.
Lucky you if you have a backup tool at hand that allows you to restore Active Directory to the point in time when you hit the enter key on the PowerShell prompt, with just a few mouse clicks and without the hassle of an authoritative Active Directory restore. This is where Blackbird recovery comes into play. In my next post I will describe Blackbird recovery's architecture.
Data handler ^
The diagram above gives you an overview of Blackbird recovery's architecture. As you can see, you have to install an agent, the Blackbird Data Handler, on all your domain controllers to enable the collection of a continuous change log. This agent is not only for Blackbird continuous recovery but for all the other modules of the Blackbird Management Suite. The agent collects the data and directly stores it into a Microsoft SQL Server (or SQL Server Express) database.
Backup data storage ^
It is important to note that Blackbird recovery leverages a very efficient gather and store mechanism. Objects are stored in binary format in the database requiring very little space. The first scheduled collection gathers every object that is configured as part of the collection. On subsequent scheduled collections only objects that have changed are gathered and stored minimizing the traffic on the wire and the backend storage requirements.
This allows for the recovery of Active directory objects and the continuous coverage allows the rollback of any unwanted change without losing all of the changes since the last backup as with other solutions. Moreover, Blackbird recovery is able to restore Active Directory objects very quickly because it doesn't store the backup in a flat file like conventional backup tools, no need to find what file or files have the correct information and waiting for them to uncompress before you can perform the recovery.
The SQL Server doesn't have to be on the same physical server as the Blackbird Server, the core of the Blackbird Management Suite, but it also doesn't hurt if you run them on the same machine.
Backup data objects ^
Blackbird recovery supports backups of domain-specific data such as users, groups, OUs, DNS data, and GPOs. You can back up forest-wide data including Active Directory Sites and Services data and schema classes and attributes.
Please note that rollback of GPOs and certain DNS deletions can’t be undone with continuous data protection (CDP) they will need to utilize scheduled backups. I will discuss the difference between CDP and scheduled backups in my next post.
Also notice that only schema changes can be restored, but not schema extensions. The reason for this is that removing schema extensions is not supported by Microsoft. So, for example, if you install Exchange in your domain you wouldn't be able to roll back the corresponding Active Directory schema extensions.
User interface ^
The Blackbird client in the diagram is the front end of the suite. It is a Microsoft Management Console (MMC) snap-in which allows you run the Blackbird's user interface together with Microsoft's own management tools in one console. In addition, some of the Blackbird features are integrated in Microsoft's RSAT tools.
For instance, you can restore objects directly from the Active Directory User and Computer (ADUC) interface. (I will explain this in more detail in another post.) This also means that you can manage Blackbird recovery from your desktop without logging on to the Blackbird server via RDP. Likewise, the tight integration with Microsoft's management tools helps you to learn very quickly how to use the Blackbird recovery.
Blackbird recovery offers two types of Active Directory backups: audits and scheduled backups. The audit-based backups are for continuous data protection (CDP), and scheduled backups are backup tasks that run at configurable times. That way, Blackbird recovery offers the advantages of both backup technologies—CDP and scheduled backups.
Continuous data protection for Active Directory ^
If you require a more recent backup, you want to determine the point in time of the backup more precisely. In most cases, you will just need the last available state; with real-time CDP, this is the state right before the corresponding directory objects have been modified.
To enable CDP you will need to deploy a data handler to every domain controller to capture all of the changes from a continuous change log to rollback unwanted changes.
Blackbird auditor is one of the modules of the Blackbird Management Suite. This module is not included when you buy Blackbird recovery. However, the free version, Blackbird auditor express, is probably sufficient for backups in most environments. The main limitation of auditor express is that you can only audit object changes of the last two days and 100 events. For restores that are older than two days, you can use scheduled backups.
Scheduled backups ^
CDP allows you to rollback unwanted changes or deletions but you may want to revert to previous point in time, say if a scripted update has done a large update with incorrect data.
To configure a scheduled backup job, you have to create a so-called Collector. Here you specify the domain, the naming context (Default, Configuration, Schema), and the scope (for instance, object only or object and child objects). You also have to schedule when the collector has to run. You can configure hourly, daily, weekly, and monthly backups. Because of Blackbird recovery's efficient architecture it is no problem to run hourly backups in most environments. That way, Blackbird's Collectors offer what is usually called near CDP.
Collectors are comparable to incremental backups in conventional backup tools. This backup method is fast because it only stores changes since the last backup. But restores are usually slow because the data has to be rebuilt from multiple backup jobs. However, since Blackbird recovery leverages the speed of SQL Server, restores are quick anyhow.
Now that you have a general idea about the architecture and capabilities of Blackbird recovery, I will give you an overview of how you can restore objects and attributes with the Active Directory backup software.
Recover deleted Active Directory objects ^
Blackbird recovery offers three ways to restore deleted AD objects: the Recycle Bin in the Blackbird Management Suite console, the Recycle Bin in the Active Directory Users and Computers interface (ADUC), and through the Deleted Objects tab of the object properties in ADUC or right clicking on the object in ADUC.
Note that this Recycle Bin shouldn’t be confused with the new Recycle Bin feature in Windows Server 2008 R2. As you will see, Blackbird recovery's functionality goes far beyond this new Windows feature.
If you want to recover deleted objects in a certain container, you can do this via the OU's properties in ADUC. As mentioned in one of my earlier posts, the Blackbird Management Suite adds part of its functionality to Microsoft's Active Directory tools.
If you accidentally deleted an OU, you can recover the container with all its child objects through the Recycle Bin. It is also possible to recover single or selected objects this way.
After you decide which objects to recover, you have to choose if you want to use the audit data or the backup of one of the scheduled backups (collectors). The audit data contains the exact state of the object it had right before it was deleted (CDP).
If you restore a single object from a scheduled backup, you can view the object's attribute values first, before you rebuild the object. This is a useful feature if you are uncertain which of the backups you need.
Roll back Active Directory objects ^
You can also roll back an Active Directory object—that is, restore attribute values of a previous state. For this the object still has to exist in Active Directory. You can roll back AD objects in the Blackbird Management Suite console, either with Blackbird recovery or Blackbird auditor.
It is also possible to roll back objects in ADUC. The context menu of each object in ADUC offers a new Rollback function after you installed Blackbird RSAT extensions. Objects with child objects also have the "Rollback child objects" menu point.
Rollbacks through ADUC or the Blackbird recovery console only allow you to restore attribute values from scheduled backups. Very useful is here that you can compare the attribute values with the current state of the objects before you initiate the rollback.
If you want to roll back an object using audit data—that is, leverage Blackbird's CDP feature—you have to use Blackbird auditor in the Blackbird Management Suite console. The main purpose of Blackbird auditor is to monitor changes of AD objects. (For more information please read the article about auditor express.)
However, Blackbird auditor has this really cool feature that allows you to not only view in detail how a certain object was changed (for example, by whom) but also roll back the object to the state before it was modified if you don't like the modifications. And, best of all, you don't have to restore the whole object but only the attributes you need.
Rollback and recovery of Group Policy Objects (GPOs) ^
Restoring Group Policy Objects (GPOs) works similar to restoring common Active Directory objects. The main difference is that no CDP is supported for GPO backups at an individual setting level. Instead GPOs can be restored from scheduled backups or automatic versions created by Blackbird. Blackbird recovery senses changes made to GPOs and will automatically create a version for a GPO that has been opened for editing if there have been no changes for 10 minutes. These automatic versions and version created during a scheduled backup are available when performing a restore or rollback.
Deleted GPOs can be restored from the Recycle Bin in the Blackbird Management Suite console. It can be difficult to find the correct GPO because the names don't appear in the Recycle Bin. However, you can view the GPO settings from the backup if you are unsure which GPO to restore.
Rollbacks of GPOs can be launched from Microsoft's Group Policy Management console. Before you roll back a GPO you can compare it with the current state in Active Directory (see screenshot). This feature is not only helpful for restores, but it can also be very useful if you just want to find out how a GPO was configured in the past.
I did not describe all features of Blackbird recovery in this series. For example, I didn't cover Active Directory Schema and DNS data backups. However, the configuration of these features work similarly.
The tight integration of Blackbird recovery with Microsoft's management tools is not only very convenient but also helps you to learn how to use Blackbird recovery quickly. After a while it feels as if Blackbird recovery is just a new Windows feature.
I think it became clear in my review that Blackbird recovery offers many features that common Windows backup solutions lack. Blackbird recovery is a highly specialized Active Directory backup solution that ensures that no precious directory data is lost and can be restored easily and quickly. The integration with the other tools of the Blackbird Management Suite completes the powerful Active Directory backup software.