Skip to main content

Backup Functionality Summary

Overview

Netwrix Recovery for Active Directory uses Microsoft's Directory Synchronization ("DirSync") control, a Lightweight Directory Access Protocol (LDAP) server extension, to facilitate its Active Directory backup jobs.

When the product performs a backup, it executes a search of Active Directory using the DirSync control. As part of the search parameters, a provider-specific data element ("cookie") is passed to the control. The cookie identifies the state of Active Directory as of a specific point in time and directs DirSync to return only objects that have changed since the previous state identified by the cookie. This capability allows Netwrix Recovery for Active Directory to both minimize the volume of data that is returned from Active Directory and avoid the computationally expensive and potentially error-prone process of manually calculating the differential between backups.

After a domain is added, an initial backup is performed and a null cookie is passed to DirSync. This results in the DirSync control returning all objects to Netwrix Recovery for Active Directory, as well as a valid cookie. The next backup of the domain can then pass this cookie to DirSync, resulting in the DirSync control returning only the objects that have changed since the previous backup. This process is then repeated for each subsequent backup.

DirSync Control Behavior and Limitations

  • A DirSync control search returns all of the changes that are made to an Active Directory object regardless of the permissions that are set on the object. Additionally, a DirSync control search with the appropriate permissions returns deleted objects. This allows us to be confident in the fact that a backup has not missed any changes.

  • When an object is renamed or moved, its child objects, if any, are not included in the results of a DirSync control search, even though the distinguished names of the child objects have changed. Similarly, when an inheritable access control entry ("ACE") is modified in an object security-descriptor, the child objects, if any, are not included in the results of a DirSync control search, even though the security-descriptors of the child objects have changed.

  • The results of a targeted DirSync control search automatically include deleted objects that match the specified search filter. However, the changes that are made to an object during the deletion process can result in a search filter that successfully returns an object when it is live failing to return that object after it has been deleted.

  • The results of a DirSync control search indicate the state of the objects on the targeted domain controller ("DC") at the time of the search. This means that changes made on other DCs will not be included if they have not yet been replicated to the target DC. It also means that an object's attributes may have changed several times since the previous DirSync search, but the search results will show only the final state of the attributes, not the sequence of changes.

  • Microsoft's best practice when using DirSync cookies is to bind to the same DC that generated the cookie being used. If the same DC is unavailable, their official recommendation is to either wait until it is once again available or bind to a new DC and perform a full synchronization.

  • A cookie generated by one DC can be passed to a different DC hosting a replica of the same directory partition without any chance of missing changes. However, replication latency between the old DC and the new DC may include changes already reported by the old DC and, in some cases, this can result in all objects being returned, as with a full synchronization.

  • The DirSync control must run by using a user account that has the Replicating Directory Changes permission on the domain naming context.

  • A DirSync control search cannot be confined to a specific area of Active Directory. Because all changes made to an Active Directory partition are returned from a DirSync control search, access to object data that is not wanted may occur.