Veeam SureBackup for Domain Controller verification job

A Veeam SureBackup for Domain Controller job provides the ability to verify the recoverability of both the virtual machine and the running application, in this case a Microsoft Active Directory deployment. Veeam Backup & Replication includes native support for the most popular enterprise applications. Applications with no native support (typically the ones running on Linux and Unix OSes or without Microsoft VSS integration) can still be fully protected and restored with additional steps. These additional steps often include the instructions from the original vendors on how to take an application consistent backup of their application. All these instructions are executed by Veeam Backup server with scripts. More details on this in dedicated article.

In the case of Microsoft Active Directory it is possible to take an application and crash consistent backup for the AD Servers and it’s components. In case of disasters, when it is necessary to restore the main or read-only AD Domain Controllers it is always a good idea to check the dependencies with other services and roles. And probably when the failure occurs there is not much time to test and verify these. How can Veeam SureBackup help?

Configuring a job for Veeam SureBackup for Domain Controller gives the opportunity to verify the VM to be restored and makes sure the essential services and dependencies are satisfied. In a nutshell, Veeam creates a “bubble network” where a temporary instance of the Microsoft Domain Controller is published directly from its backup. The Backup stays in read only. Veeam SureBackup for Domain Controller job at this point is ready to power on the Domain Controller VMs, run several tests like boot time, ping and heartbeat. In addition, there are several roles that can be tested by mean of built-in Veeam SureBackup scripts. In the case of Microsoft Domain Controllers this includes:

DNS Server
Domain Controller (Authoritative restore)
Domain Controller (Non-Authoritative restore)
Global Catalog

The Veeam SureBackup job will run all these tests and produce a report showing evidence on what has passed and what as failed. Veeam SureBackup jobs can be scheduled as well. So for example a good practice is to run these along with the backup plans. Ensuring the environment is protected and fully recoverable.

How to use Veeam SureBackup for Domain Controller verification

To verify the Microsoft AD controllers the first step is to create a Veeam Application Group for the desired servers. From main Veeam console > Backup Infrastructure > SureBackup let’s create a new Application Group.

In this example this group includes the main Active Directory Domain Controller.

domalab.com Veeam SureBackup for Domain Controller application group

At this point the option to add VMs directly from Backups, Replicas and even Storage Snapshots.

domalab.com Veeam SureBackup for Domain Controller add virtual machines

At this point for each one of the virtual machines there is the option to specify which verification steps should be included. The Veeam SureBackup jobs already ships with predefined “SBRoles” for popular enterprise applications. These can be any combination of ping tests to well-known ports as to the ability to run custom made scripts. It is possible to add more SBRoles and cover even more applications as covered in the next article.

domalab.com Veeam SureBackup for Domain Controller verification options

In the Startup Options tab for each VM the ability to specify the amount of memory to allocate to the VM during testing and other parameters as well like the minimum allowed boot time and the application initialization timeout. Tweaking these parameters allows to adjust the resources specific to the applications to test. For example the default value for memory allocation to the test VM is 100%. Maybe for specific tests and SBRoles half of that is required or even less. Certainly for each application it is possible to provide set amounts of RAM Memory as required during the verification process. In addition, one more thing to consider is all temporary VMs used for verification are always published in the same Resource Pool where the Veeam Virtual Lab is running.

domalab.com Veeam SureBackup for Domain Controller startup options

The Test Scripts section is automatically populated with the SBRoles previously selected. In this case as soon as the VM is powered on Veeam Backup server will perform a ping test to ports 53, 389 and 3268. This will ensure the pertinent services are running and listening to the associated ports.

domalab.com Veeam SureBackup for Domain Controller test scripts

Last but not least the option to specify the credentials that will be used to run the tests within the VM. Particularly useful also when running custom scripts.

domalab.com Veeam SureBackup for Domain Controller credentials

And a final wizard summary showing the main Application Groups configuration details.

domalab.com Veeam SureBackup for Domain Controller application group summary

At this point everything is ready to create a new Veeam SureBackup for Domain Controller verification job.

domalab.com Veeam SureBackup for Domain Controller job configuration

In the Application Group section let’s select the appropriate one created in the previous step. This will show all the VMs to verify included the associated SBRoles.

domalab.com Veeam SureBackup for Domain Controller application group selection

In addition, there is the opportunity to link existing backup jobs from other jobs and include more servers. Very useful when there are dependencies between several machines.

As soon as the job is completed the SureBackup configuration also sends SNMP traps and email reports when configured.

As a last step for the Veeam SureBackup configuration the option to conveniently setup a schedule to automatically verify the important backups according to requirements.

And finally a wizard summary with the main settings for the job.

As soon as the job is starting the Veeam SureBackup configuration will compile the Proxy appliance used by the Virtual Lab and and publish the temporary Domain Controller VM directly from the backup file.

During this time Veeam SureBackup will run the verification tests as configured in the SBRoles or simply Test Scripts tab.

As the screenshot is showing the test executed the verification for DNS, Domain Controller and Global Catalog network ports. These are built-in tests. It is possible to add custom ones also based on scripts using Command Prompt, PowerShell in case of Windows based VMs.

As soon as the tests are completed Veeam SureBackup will power down and unpublish (delete) the VM in the bubble or isolated network and produce the report.

From the ribbon the ability to check the report with the main details about the execution. This is particularly useful to understand which components might fail and also which other are required in terms of dependencies with other servers.

This article covered the basic steps on how to validate and verify the recoverability of an enterprise application using built-in SureBackup SBRoles. In the next article the steps on how to verify other enterprise applications using custom SureBackup SBRoles.