In this guide, you’re going to learn how to backup Active Directory.
What you will learn:
- Active Directory Backup Best Practices
- Active Directory Full Backup VS System State Backup
- How to Install Windows Server Backup
- How to Backup Active Directory (Step by step instructions)
- Automate Backup Monitoring (Email Alerts)
Active Directory Backup Best Practices
This first section is very important, I recommend you read them all.
- Restoring Active Directory from a backup should be your last option for recovery.
- You should have multiple domain controllers. This will allow for a single domain controller to fail and still provide full recovery without a backup.
- To expand on the above, DO NOT rely on multiple controllers as your only source of recovery. You should absolutely still be doing a backup of Active directory. All domain controllers can fail, database corruption can occur, viruses, ransomware or some other disaster could wipe out all domain controllers. In this situation, you would need to restore it from a backup. Also backing up Active Directory is FREE so there is no reason not to do it.
- You should enable the Active Directory Recycle Bin, this will give you the ability to restore deleted objects without the need for a backup.
- Document your Active Directory environment, backup policy, and disaster recovery plans.
- Backup Active Directory at least daily, if you have a large environment with lots of changes then consider twice a day backups.
- Ensure you have an offsite backup of Active Directory. This will be explained more throughout this guide.
- Backup two domain controllers in each domain, one of those should hold the Operation master role.
Active Directory Full Backup VS System State Backup
This section will help you understand the difference between doing a full server backup and a system state backup.
- Backs up all server data, including applications and the operating system
- Includes the system state
- Allows for bare metal recovery – This allows for restoring to an entirely different piece of hardware. Although, it is recommended that the hardware receiving the restore have the same hardware configuration.
- If you have lots of data or 3rd party applications installed on your domain controller (not recommended) your backups will be considerably larger.
- The full backup option is best used for restoring the whole server to the same or different server. A full restore will allow you to easily re-install the operating system and use the backup to recover.
System State Backups
The system state backup includes only the components needed to restore Active Directory. The system state includes the following:
- Sysvol from the domain controller – The sysvol includes group policy objects but I still recommend you backup group policy from the GPMC.
- Active Directory database and related files
- DNS zones and records (only for Active Directory integrated DNS)
- System registry
- Com+ Class registration database
- System startup files
- The system state backup is best used for recovering Active Directory only on the same server. It cannot be used to recover a corrupt server operation system. Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration
Install Windows Server Backup
The Windows server backup utility gets a bad wrap, mostly because it is used incorrectly. It is not a solution for backing up your entire enterprise but works great for specific use cases like backing up Active Directory.
I’ve been using it for years to backup Active Directory and it works great. There are a few things to be aware of when using this utility and I’ll point those out throughout this guide.
How to Install Windows Server Backup
Step 1: Open Server Manager
Step 2: Add Roles and Features
Now click on “add roles and features”
Step 3: Select Windows Server Backup
Now just click next a few times to get to the select features page. Select “Windows Server Backup” and click next.
On the next screen click install. When the install is complete click close.
That completes installing the Windows server backup utility.
The next step is to configure the backup.
How to Backup Active Directory (Full Server Backup)
I prefer to use the full backup option instead of the system state backup. This option allows you to easily restore if the operating system or Active Directory becomes corrupt.
It includes the system state so you can choose to restore the entire server or just the system state.
The steps for backing up just the system state are the same you will just choose custom instead of full server.
Here are the settings that will be configured for this backup:
- Daily Backup
- 1 full backup then 14 incremental backups – Windows server backup automatically handles the full and incremental backups no additional configuration is needed.
- The backup destination will be a volume mounted as a local disk. I’m using a SAN with replication to another datacenter for disaster recovery.
- My domain controllers are virtual running in a VMWare environment.
- The domain controller is Windows Server 2016
Step 1: Setup a Dedicated Volume for Backups
Important: When doing a full backup the disk cannot be larger than the one you are restoring to. So if the server you are backing up has a disk size of 50GB, the backup disk cannot be larger than this. The Windows backups are very efficient, the first backup is full then it will do incremental backups. I like to make the backup disk slightly smaller than the disk I’ll be backing up.
Step 2: Configure Windows Server Backup
Open the Windows Server Backup Utility
Click on “Backup Schedule” on the right-hand side
Click next on the Getting started page
Select “Full Server” and click next.
If you want to backup just the system state select “Custom”.
In the above screenshot, the backup configuration will tell you how large the backup size will be. Unless you have 3rd party programs and files on your domain controller the backup should be fairly small. After the first backup, it will do an incremental and only backup the changes.
Click the “advanced settings” button
Click “VSS Settings” then select “VSS full backup”. Click OK
This is recommended if you are not using any other backup product to backup Active Directory.
Configure the backup schedule that works best for you. In my environment, I configured a daily backup at 7:00 PM.
If you have a large environment with lots of AD changes you should consider twice a day backups.
On the specify destination type screen choose “backup to a volume”. Then choose the volume that you configured from step 1.
DO NOT choose “Back up to a shared network folder” This option does not support incremental backups it will overwrite the backup each time.
Confirm backup settings and click finish.
The backup configuration is complete but we need to change a few settings in the scheduled task that was created.
Task Scheduler Settings
Just type in “Task Scheduler” in the search bar and click the app.
Browse to Task Scheduler Library -> Microsoft -> Windows -> Backup
You will see the windows backup scheduled task.
Double click on the task name to open it up.
On the General screen, ensure the task is running as the SYSTEM account and change the configure for to the correct operating system. I’m running 2016 so that is what I have selected.
On the settings screen change the task to stop running if it runs longer than 2 hours. Also, check the box to allow the task to be run on demand.
Click OK. That completes the changes for the scheduled task.
If you want you could right click the task and run it. The backup process may cause a bit of CPU usage so you may need to wait.
The first backup will be a full backup. The next 14 backups will be incremental then it will do another full backup.
You can check the status of backups, disk space used and much more in the backup utility.
The backup configuration is complete, Active Directory will now backup on a daily basis (or whatever schedule you configured it for).
In the next section, I will show you how to easily monitor the backups.
Automate AD Backup Monitoring (Email Alerts)
In this section, I’ll show you how to get email notifications when the backup completes. This is a tested solution that I found from Microsoft and that I use in production.
To automate monitoring of the backups you will configure a scheduled task to trigger an action when event ID 4 has been logged.
Step 1: Setup PowerShell Script
The scheduled task will trigger a PowerShell script when event ID 4 is logged. The script will send an email message.
Copy the script below and paste it into a text file. Save it as AD-Backup-sucess.ps1
You need to change the from address, to address and the SMTP address.
$From = "email@example.com" $To = "firstname.lastname@example.org" $Subject = "DC1 AD Backup SUCCESSFUL" $Body = "DC1 daily backup successful. No further action is required" $SMTPServer = "SMTP address" $SMTPPort = "25" Send-MailMessage -From $From -to $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer -port $SMTPPort
Step 2: Setup Scheduled Task
Open the scheduled task app, in the task scheduler library create a new task.
On the general screen set the following
- Name: AD Backup Success Notification
- Use the following account: SYSTEM
- Set to “Run whether user is logged on or not”
- Run with highest privileges
- Configure for: Choose your operating system
On the Triggers screen click on new and set the following:
- Begin the task: On an event
- Log: Microsoft-Windows-Backup/Operational
- Source: Backup
- Event ID: 4
On the Actions screen click new and configure the following:
- Action: Start a program
- Program/script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
- Add arguments: Path to the script from step 1. Example c:\it\AD-Backup-sucess.ps1
Click ok and the task setup is complete.
Now when the backup completes you will receive an email notification.
Active Directory is one of the most critical components in a Windows environment. It seems like everything is dependent on Active Directory or DNS and if it crashes nothing works right or at all. I’ve worked with customers that had a complete domain controller crash (all of them) and literally everything was down. Fortunately, they had backups and was able to recover the domain controllers.
With all the ransomware going around and constant threats you never know what can happen so don’t rely on multiple domain controllers as your only method for AD Backups. You definitely should have multiple domain controllers but in addition, ensure you are running backups as well. Why would you not? I just showed you a way to back them up for FREE.
Stay tuned for my next guide on how to restore Active Directory from a backup.
Sources I used for this guide and additional information on AD backups.