Configure a backup plan

---

Content: 

Summary

This article describes some of the best practices for Backup Plan management.

A Backup Plan must be created and properly configured in Cayosoft Guardian to protect your Active Directory forest from forest-wide failures. A Backup Plan is a job with a schedule, a list of domain controllers to back up, and connected Backup Locations where backups will be copied to. 

Learn more about agent management. 

What domain controllers should be added to a backup plan 

According to Microsoft's best practices, at least two DCs in each domain should be backed up regularly. 

Cayosoft Guardian requires only one valid backup of an Active Directory domain controller to recover a domain, but for redundancy, it is strongly recommended to back up at least two domain controllers. 

Domain controllers holding PDC FSMO role should be considered as targets for a backup since they normally have more recent data in their Active Directory database. This doesn't affect the recovery process as during the recovery process first recovered DC will seize FSMO roles and a backup from any DC can be used.

 

To edit the list of domain controllers in the backup plan:

1. Open Cayosoft Guardian Web Portal,
2. Expand Forest Recovery node,
3. Click on the Backup Plans node,
4. Select your Backup plan and press Properties,
5. Switch to Domain Controllers tab,
6. Use Add and Delete actions to select domain controllers to be backed up.

How often do I need to back up my domain controllers

A number of changes in the Active Directory should be considered when a backup plan is devised. In most cases, daily backup of domain controllers is recommended. ​

Use the following criteria to assess the frequency of your backups:​

1. Small environments with a single domain controller in the forest or domains that exist in a single physical location (that is, domains that have a single point of failure): create backups at least daily.​
2. Medium (10 to 49 domain controllers) and large environments (50 to 1,000 or more domain controllers): Create backups of each unique directory partition in the forest on two different computers at least daily with an emphasis on backing up application directory partitions, empty root domains, domains in a single geographic site, and sites that have large populations of users or that host mission-critical work.​
3. Make backups with increasing frequency until you are confident that if you lose the objects that were created or modified since the last backup, the loss would not create a disruption of your operations. Major changes to the environment should always be immediately followed by a new system state backup.​
4. Consider using continuous data protection feature in Cayosoft Guardian to afford to back up less frequently and restore from Change History.

 

How to manage advanced settings of a backup plan

Advanced settings of a backup plan allow fine-tuning of your backup plan. Use Controllers to backup in parallel to change the number simultaneously backed up domain controllers in order to optimize network bandwidth, backup process duration, or to meet network storage requirements related to a number of allowed connections.  Use Agent deployment settings to change how agents will be deployed or updated within a backup plan execution. 

1. Open Cayosoft Guardian Web Portal
2. Expand Forest Recovery node
3. Click on the Backup Plans
4. Select your Backup plan and press Properties
5. On the Settings tab select Backup AD DC action in the Actions table, press Properties
6. Edit settings if necessary

How to use backup encryption

Prerequisites

BitLocker feature must be enabled on all domain controllers in the backup plan.

Cayosoft Guardian enables BitLocker Drive Encryption on domain controllers automatically if it is not enabled. If a backup plan execution history contains a specific error related to BitLocker Drive Encryption, you might need to reboot your domain controllers to complete BitLocker Drive Encryption installation.

 

Configure backup plan

 

Cayosoft Guardian allows protecting backup files at rest using BitLocker. By default, encryption is enabled, and the password is automatically generated. Also, you can specify your own password in the backup plan. To simplify the recovery process, it is recommended to use the same password in all backup plans.

 

During the backup plan execution, Cayosoft Guardian creates Hard Disk Image File (.vhdx) on the specified backup location and encrypts it using BitLocker technology.  

Learn more about BitLocker technology.

 

NOTE: Export a passphrase and keep it securely. Without a password, you won't be able to access your backups and perform a recovery.  

 

How to export the passphrase from the backup plan:

1. Open Cayosoft Guardian web portal
2. Expand Forest Recovery node
3. Select Backup plans node
4. Select your backup plan
5. Press Export Backup Password
6. Copy file with the password to a secure location

To disable backup encryption in the backup plan:

1. Open Cayosoft Guardian web portal
2. Expand Forest Recovery node
3. Select Backup plans node
4. Select your backup plan
5. Press Properties
6. On the Settings tab, remove Enable backup encryption checkbox.

How to assign a managed host to a backup plan

In some environments, you might have machines with the same name managed by Cayosoft Guardian.

For example, DC1 was in the source test lab environment and it was recovered to a remote recovery site in Azure. In such a case Cayosoft Guardian will not continue to backup DC1 and the backup plan will fail with an error. To back up managed hosts with the same name, such hosts must be manually assigned to the backup plan. 

To assign a managed host to a plan perform the following steps:

1. Open Cayosoft Guardian Web Portal,
2. Expand Forest Recovery node,
3. Click on the Backup Plans,
4. Select your Backup plan and press Properties,
5. On the Domain Controllers tab, select a domain controller and press Properties,
6. Select Source Host.