Learn how to backup Active Directory with this step-by-step guide.
Let’s dive right in.
Why it is Important to backup Active Directory
In networks that use Active Directory, it is a critical service that must be running 24/7.
If these servers crash then your business operations can be disrupted or stopped altogether. Users won’t be able to access applications, their data, and files that can make a business run. In a hybrid environment, a failed Active Directory server can even disrupt cloud services.
I have supported companies that had a failed domain controller and it affected almost everything. Employees could not access their files, applications, and even internet access was down. The worst part is they had no backups, so they had to rebuild their domain environment. It took several weeks to fully recover. It was a lot of extra work that could have been avoided if they had backups.
With the ongoing security threats, it’s a real possibility you could be hit with a virus or ransomware. With ransomware, the best protection is to ensure you have backups.
I highly recommend you backup Active Directory and that you start by reading my best practices below.
Active Directory Backup Best Practices
Tip: This first section is very important and could save you from having to restore Active Directory from a backup.
- Restoring Active Directory from a backup should be your last option for recovery.
- You should have multiple domain controllers. This will allow for a single domain controller to fail and still provide full recovery without a backup.
- To expand on the above, DO NOT rely on multiple controllers as your only source of recovery. You should absolutely still be doing a backup of Active directory. All domain controllers can fail, database corruption can occur, viruses, ransomware or some other disaster could wipe out all domain controllers. In this situation, you would need to restore it from a backup. Also backing up Active Directory is FREE so there is no reason not to do it.
- You should enable the Active Directory Recycle Bin, this will give you the ability to restore deleted objects without the need for a backup.
- Document your Active Directory environment, backup policy, and disaster recovery plans.
- Backup Active Directory at least daily, if you have a large environment with lots of changes then consider twice a day backups.
- Ensure you have an offsite backup of Active Directory. This will be explained more throughout this guide.
- Backup two domain controllers in each domain, one of those should hold the Operation master role.
Active Directory Full Backup VS System State Backup
This section will help you understand the difference between doing a full server backup and a system state backup.
- Backs up all server data, including applications and the operating system
- Includes the system state
- Allows for bare metal recovery – This allows for restoring to an entirely different piece of hardware. Although, it is recommended that the hardware receiving the restore have the same hardware configuration.
- If you have lots of data or 3rd party applications installed on your domain controller (not recommended) your backups will be considerably larger.
- The full backup option is best used for restoring the whole server to the same or different server. A full restore will allow you to easily re-install the operating system and use the backup to recover.
System State Backups
The system state backup includes only the components needed to restore Active Directory. The system state includes the following:
- Sysvol from the domain controller – The sysvol includes group policy objects but I still recommend you backup group policy from the GPMC.
- Active Directory database and related files
- DNS zones and records (only for Active Directory integrated DNS)
- System registry
- Com+ Class registration database
- System startup files
- The system state backup is best used for recovering Active Directory only on the same server. It cannot be used to recover a corrupt server operating system. Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration
Install Windows Server Backup
To create an Active Directory backup the Windows server backup utility needs to be installed. This utility gets a bad wrap, mostly because it is used incorrectly. It is not a solution for backing up your entire enterprise but works great for specific use cases like backing up Active Directory.
I’ve been using it for years to backup Active Directory and it works great. There are a few things to be aware of when using this utility and I’ll point those out throughout this guide.
Step 1: Open Server Manager
Step 2: Add Roles and Features
Now click on “add roles and features”
Step 3: Select Windows Server Backup
Now just click next a few times to get to the select features page. Select “Windows Server Backup” and click next.
On the next screen click install. When the install is complete click close.
That completes installing the Windows server backup utility.
The next step is to configure the backup.
How to Backup Active Directory (Full Server Backup)
I prefer to use the full backup option instead of the system state backup. This option allows you to easily restore if the operating system or Active Directory becomes corrupt.
It includes the system state so you can choose to restore the entire server or just the system state.
The steps for backing up just the system state are the same you will just choose custom instead of full server.
Here are the settings that will be configured for this backup:
- Daily Backup
- 1 full backup then 14 incremental backups – Windows server backup automatically handles the full and incremental backups no additional configuration is needed.
- The backup destination will be a volume mounted as a local disk. I’m using a SAN with replication to another datacenter for disaster recovery.
- My domain controllers are virtual running in a VMWare environment.
- The domain controller is Windows Server 2016
Step 1: Create a dedicated disk for backups.
Important: When doing a full backup the disk cannot be larger than the one you are restoring to. So if the server you are backing up has a disk size of 50GB, the backup disk cannot be larger than this. The Windows backups are very efficient, the first backup is full then it will do incremental backups. I like to make the backup disk slightly smaller than the disk I’ll be backing up.
Step 2: Configure Windows Server Backup
Open the Windows Server Backup Utility
Click on “Backup Schedule” on the right-hand side
Click next on the Getting started page
Select “Full Server” and click next.
If you want to backup just the system state select “Custom”.
In the above screenshot, the backup configuration will tell you how large the backup size will be. Unless you have 3rd party programs and files on your domain controller the backup should be fairly small. After the first backup, it will do an incremental and only backup the changes.
Click the “Advanced settings” button
Click “VSS Settings” then select “VSS full backup”. Click OK
This is recommended if you are not using any other backup product to backup Active Directory.
Configure the backup schedule that works best for you. In my environment, I configured a daily backup at 7:00 PM.
If you have a large environment with lots of AD changes you should consider twice a day backups.
On the specify destination type screen choose “Back up to a hard disk that is dedicated for backups”.
DO NOT choose “Back up to a shared network folder” This option does not support incremental backups it will overwrite the backup each time.
Confirm backup settings and click finish.
The backup configuration is complete but we need to change a few settings in the scheduled task that was created.
Task Scheduler Settings
Just type in “Task Scheduler” in the search bar and click the app.
Browse to Task Scheduler Library -> Microsoft -> Windows -> Backup
You will see the windows backup scheduled task.
Double click on the task name to open it up.
On the General screen, ensure the task is running as the SYSTEM account and change the configure for to the correct operating system. I’m running 2016 so that is what I have selected.
On the settings screen change the task to stop running if it runs longer than 2 hours. Also, check the box to allow the task to be run on demand.
Click OK. That completes the changes for the scheduled task.
If you want you could right click the task and run it. The backup process may cause a bit of CPU usage so you may need to wait.
The first backup will be a full backup. The next 14 backups will be incremental then it will do another full backup.
You can check the status of backups, disk space used, and much more in the backup utility.
The backup configuration is complete, Active Directory will now backup on a daily basis (or whatever schedule you configured it for).
In the next section, I will show you how to easily monitor the backups.
Automate AD Backup Monitoring (Email Alerts)
In this section, I’ll show you how to get email notifications when the backup completes. This is a tested solution that I found from Microsoft and that I use in production.
To automate monitoring of the backups you will configure a scheduled task to trigger an action when event ID 4 has been logged.
Step 1: Setup PowerShell Script
The scheduled task will trigger a PowerShell script when event ID 4 is logged. The script will send an email message.
Copy the script below and paste it into a text file. Save it as AD-Backup-Success.ps1
You need to change the from address, to address and the SMTP address.
$From = "firstname.lastname@example.org" $To = "email@example.com" $Subject = "DC1 AD Backup SUCCESSFUL" $Body = "DC1 daily backup successful. No further action is required" $SMTPServer = "SMTP address" $SMTPPort = "25" Send-MailMessage -From $From -to $To -Subject $Subject -Body $Body -SmtpServer $SMTPServer -port $SMTPPort
Step 2: Setup Scheduled Task
Open the scheduled task app, in the task scheduler library create a new task.
On the general screen set the following
- Name: AD Backup Success Notification
- Use the following account: SYSTEM
- Set to “Run whether user is logged on or not”
- Run with highest privileges
- Configure for: Choose your operating system
On the Triggers screen click on new and set the following:
- Begin the task: On an event
- Log: Microsoft-Windows-Backup/Operational
- Source: Backup
- Event ID: 4
On the Actions screen click new and configure the following:
- Action: Start a program
- Program/script: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
- Add arguments: Path to the script from step 1. Example c:\it\AD-Backup-sucess.ps1
Click ok and the task setup is complete.
Now when the backup completes you will receive an email notification.
Active Directory is one of the most critical components in a Windows environment. It seems like everything is dependent on Active Directory or DNS and if it crashes nothing works right or at all. I’ve worked with customers that had a complete domain controller crash (all of them) and literally everything was down. Fortunately, they had backups and were able to recover the domain controllers.
With all the ransomware going around and constant threats you never know what can happen so don’t rely on multiple domain controllers as your only method for AD Backups. You definitely should have multiple domain controllers but in addition, ensure you are running backups as well. Why would you not? I just showed you a way to back them up for FREE.
Next, check out my guide on how to restore Active Directory from backup.
- Automate System State backup – Microsoft documentation
- Windows Server Backup Feature Overview
23 thoughts on “Backup Active Directory (Full and Incremental Backup)”
Typo alert! DNZ should be DNS.
Thanks. I have updated it.
Where is the discussion of offsite backups of ADm
I mentioned it in the best practice section.
Along the same topic of offsite backups, can you move the files on the backup volume to a network drive or external hard drive and be able to use that to recover from?
Very useful doc!
I have not tested that with the built-in Windows backup utility. I have tested moving the backup from one SAN to another SAN and it restored with no issues, the disk I recovered from appeared as a local disk.
I have a question: what about restore? To be more clear. I have two domain controller (one only domain). I am planning to backup the DC master instance. What about slave DC instance in case of restore. I am planning to make a partial “demote” about slave instance (to not conflict with timestamp than master that, as backup, will be sure older), but it could be done previously than the restore of master instance. And after master recovery the DC slave instance will be joined again in the domain so it could re-sync. In this way there is a moment of restore procedure when I will be without any DC available! I am missing something? This is valid for all slave instances.
You should only restore if you have a complete loss of all domain controllers. If you have two DCs you can lose one and still fully recover without doing a restore. If you lose one just spin up a brand new domain controller and everything will replicate. Does that help?
Great write up! Much appreciated.
With superb explanation of each feature.
Really helpful for everyone.
I have one question.
Can we set any restoration policy like how long it can restore the backup file because I have set up an Active directory System state backup on a dedicated drive. But day by day it is consuming lot’s of space and decreasing free disk space size. Please let me if we have any solution to this.
I don’t think there is a way to define the retention policy with windows backup. It does have auto disk management so when the disk is low on space it will automatically purge old backups to make room for new backups. You can read more on this at the link below
Great article. Thanks. A couple of questions. If I backup to a dedicated disk can I modify what the backup job backs up without wiping the backup disk. So let’s sad I have been backing up C and D to a dedicated Windows Server backup disk. Then I add an E drive to the host. Can I modify the existing backup to include the E without wiping out the backups already there on the USB?
Thank you for this masterpiece!
Ayoub, you are welcome!
Awesome article! I’m a little confused. Why do you make the backup volume smaller than the source? I would assume that it wouldn’t have enough space for a full server backup. Thanks.
I think I did that to ensure the backup disk would not be bigger than the source, you want to avoid this or you will have restore issues. It’s only going to backup used disk space so the backup disk doesn’t have to match the source. On the select backup configuration screen, it will show you how much data will be backed up, this can help you determine how big your backup disk needs to be (allow room for growth).
Thanks, Robert, for this lovely article on AD backup… I have fresh up my memories.
Hi Robert Allen,
It was great explanation, i have a doubt can we compress 14 incremental backup to 7incremental & then a full backup.is there any possibility please suggest, Thanks.
I’m not sure what you are asking. As long as there is enough disk space it should hold all the backups.
According to your explanation, a full backup will be the first backup. The following 14 backups will be incremental, and then a new full backup will be made. Therefore, my criterion is that the first backup be a complete backup. The following seven backups will be incremental before another complete backup is performed. (It is a weekly task that requires a complete backup every 6-7 days following an incremental backup.) Please provide a step-by-step process if at all possible.