Manage Backup Locations and Backups
This article describes additional recommendations related to managing Backup locations and DC Backups.
Manage free space in Backup locations with retention rules
The default network backup storage retention rule is configured to delete older backups during the retention job execution. By default, only the five latest backups of each domain controller are preserved.
To modify or disable the default retention rule:
Expand the Configuration node.
Click the Retention rules node.
Select the Default network backup storage retention rule and click Properties.
Modify the rule as required.
Since Cayosoft Guardian's built-in retention rule retains the latest backups of each domain controller, the following formula can be used to estimate the required storage size to execute a backup plan.
NOTE: Storage size = Average backup size * Number of domain controllers in the backup plan(s)
* Number of backup files to be retained for each domain controller (as per retention rule).
Backup management best practices
The 3-2-1 Backup Rule
The 3-2-1 backup rule is a common approach to keeping data safe in almost any failure scenario. It requires keeping at least three copies of your data and storing two backup copies on different storage media, with one of them located offsite.
It is especially important to have an offsite copy of your backups. In case of a cyberattack with ransomware, all data on your servers might be encrypted, and you will not be able to recover unless backups are copied to isolated offsite storage. Consider using Azure file storage as offsite storage. Learn more in: Forest Recovery: Add backup locations
Network configuration for backup locations
When using offsite backup locations such as Azure file storage, or network shares hosted in the cloud or other datacenters, ensure you properly configure network access and routing to secure your backups.
Azure Storage firewall and virtual network settings
When using Azure storage accounts to store backups, configure the Firewalls and virtual networks settings to restrict access:
-
Public network access:
Enabled from selected virtual networks and IP addresses- Restrict access to only your trusted networks and on-premises IP addresses. Avoid leaving it as Enabled from all networks, which allows access from any internet location.
-
Network Routing:
Where applicable, select Microsoft network routing to ensure data travels over Microsoft’s private network backbone for optimized security and performance.
To configure these settings:
Go to your Azure Storage account.
Navigate to Networking > Firewalls and virtual networks.
Select Enabled from selected virtual networks and IP addresses.
Add your trusted virtual networks or on-premises IP ranges.
Save the configuration.
Backup content
Active Directory is backed up as part of the system state, a collection of system components that depend on each other.
Components that comprise the system state on a domain controller include:
System registry.
SYSVOL. The system volume provides a default Active Directory location for files that must be shared for common access throughout a domain.
Active Directory includes:
Ntds.dit: The Active Directory database.
Edb.chk: The checkpoint file.
Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
Res1.log and Res2.log: Reserved transaction logs.
NOTE: If you use Active Directory-integrated DNS, then the zone data is backed up as part of the Active Directory database.
Comments
0 comments
Please sign in to leave a comment.