Best Practices - Active Directory iDataAgent

Distributing Subclient Content for an Active Directory Client

Distributing the client data using user defined subclients can improve backup performance as well as facilitate efficient storage resource billing by department. A useful way to distribute the subclient content of an Active Directory client is by departments, corresponding to Organizational Units, as shown in the example below:

Client-A contains the following departments that are set up as Organizational Units in the Active Directory database:

  • Accounting

  • IS

  • HR

  • Customer Service

After installing the Active Directory iDataAgent, the default subclient content included all of these OU's. The data can then be distributed across subclients to better balance the backup load. For example, three new user-defined subclients were created, each containing backup data for a particular department, resulting in the following subclient content configuration for the client:

Subclient

Content

User-defined subclient: IS

,OU=IS,DC=generic,DC=company,DC=com

User-defined subclient: HR

,OU=HR,DC=generic,DC=company,DC=com

User-defined subclient: Customer Service

,OU=CS,DC=generic,DC=company,DC=com

default subclient

,

The comma indicates that this subclient's content contains all portions of the database on the client not assigned to other subclients. In this example, the comma (,) represents the following LDAP paths:

,CN=Computers,DC=generic,DC=company,DC=com

,CN=Users,DC=generic,DC=company,DC=com

,OU=Accounting-Department,DC=generic,DC=company,DC=com

Reconfiguring Default Subclient

It is recommend that you do not re-configure the content of a default subclient because this would disable its capability to serve as "catch-all" entity for client data. As a result, some data may not get backed up.

Offline Mining

Do not perform offline mining on a live production database. Offline mining should always be performed with offline copies of the database.

Replicating Active Directories to Other Domain Controllers

The Active Directory uses a Tombstone mechanism to delete objects from its directory on Windows 2000 and Server 2003 clients. When an Active Directory object is deleted from a domain controller, it is initially marked as tombstoned and is not fully removed from the directory. During Active Directory replication, the tombstone attribute is replicated to the other domain controllers, temporarily deleting the object from all the domain controllers. Once the tombstone lifetime is reached, the object is permanently removed from the directory. The Active Directory Tombstone has a default lifetime setting of 60 days.

When performing restore operations, you must consider the Active Directory tombstone lifetime. Restoring from a backup that was secured more than a lifetime before the restore may result in Active Directory inconsistencies. The restored domain controller may have objects that are not replicated on the other domain controllers. These objects will not be deleted automatically, as the corresponding tombstones on the other servers have already been deleted. Therefore, when you restore from a backup that is older than the tombstone lifetime, you may have to manually delete each unreplicated object on the restored computer in order to resolve inconsistencies.

Loading...