How to Backup Active Directory?

1.6K

Active Directory (AD) is a crucial component of most modern Windows-based networks. It stores information about users, computers, and other network resources, making it a vital part of network management. However, like any other network component, AD is vulnerable to data loss or corruption.

This is where backups come in. Backing up your AD is essential to ensure business continuity in case of a disaster or other unexpected events. In this context, this topic will discuss how to back up Active Directory, including best practices, tools, and strategies to ensure your data is safe and recoverable.

Is Active Directory Backup Necessary?

Backing up Active Directory (AD) is necessary and a critical component of any network management strategy. AD is a centralized database that stores user accounts, computer accounts, group policies, security policies, and other critical information about your network. Any damage or loss of this data could result in downtime, loss of productivity, and damage to your business operations.

By performing regular backups of AD, you ensure that you have a backup copy that you can restore in case of any data loss or corruption to get your network back up and running quickly. Backup also protects against accidental deletions, hardware failures, software errors, and other disasters that can damage your data.

What are the Active Directory Backup Best Practices?

You need to follow some best practices to ensure that your AD backups are reliable and recoverable. Here are some of the best practices for Active Directory backup:

• Use a dedicated backup server: Use a dedicated server to perform AD backups to avoid overloading the server hosting AD.
• Schedule regular backups: Schedule regular backups of AD to ensure you have the most up-to-date data in case of data loss or corruption.
• Use multiple backup methods: Some third-party commercial backup solutions use different backup methods, such as full backups, incremental backups, and differential backups, to ensure comprehensive data protection.
• Verify backup integrity: Verify the backup data’s integrity to ensure that it’s recoverable in a disaster.
• Test backup restoration: Test the restoration process regularly to ensure that the backups are recoverable and the process is smooth.
• Store backups in a secure location: Store backup files in a secure location, preferably off-site or in the cloud, to protect against disasters that may damage the primary data center.

Types of Active Directory Backup

Regarding backing up Active Directory, third-party backup solutions will definitely have more features and more ways to back up your Active Directory data. But this post won’t discuss using any third-party commercial products.

The Windows Server Backup feature in Windows is free and is sufficient for Active Directory backup. And the Windows Server Backup can perform the following backup methods:

Full Server Backup

A full server backup takes a complete copy of the entire server, including all system and application data, the Active Directory database and all associated components. This type of backup is useful for restoring the entire server (bare metal) in case of a disaster.

With a full server backup, you can quickly recover your Active Directory database and all other essential files and data in a single restore operation.

System State Backup

A system state backup is a partial backup that only includes critical system components such as the following:

• Active Directory database;
• The Sysvol folder (with GPO objects)
• Integrated DNS zones and records
• Certificate Authority service database
• System boot files
• System registry
• Component Services database

System state backups take less time to perform than full server backups and require less storage space, making them a convenient and efficient backup option.

Installing the Windows Server Backup Feature

The Windows Server Backup feature is not installed by default but is available. All you need to do is install it from the Server Manager or PowerShell. For convenience, let’s do it in PowerShell.

First, confirm whether the Windows Server Backup feature is not installed. To do so, open PowerShell as admin and run this command.

Get-WindowsFeature Windows-Server-Backup

If the Windows-Server-Backup feature is installed, then you’re good to go. If not, install it using this command.

Install-WindowsFeature Windows-Server-Backup

How to Backup Active Directory with System State Backup

First, let’s explore how to perform a system state backup to back up the Active Directory. Depending on your preference, you can perform this task using the Windows Backup Server GUI or the wbadmin.exe command.

Using the Windows Backup Server Console

1. On the console, click on the “Local Backup” node and click “Backup Once…” under the Actions pane.
   
2. In Backup Options, choose “Different options” and click Next.
   
3. Select “Custom” backup configuration and click Next.
   
4. In the Select Items for Backup, click Add Items, choose “System State” as the item to backup, and click OK.
   
5. Click Next.
   
6. Select the destination where you want to store the backup and configure any additional backup settings as needed. I’ll choose “Local drives” in this example and click Next.
   
7. Select the backup destination from the dropdown list. Ensure that the backup destination has enough free space. In this example, I choose Drive E as the backup destination and click Next.
   
8. Review the backup settings and click “Backup” to start the backup process.
   Wait for the backup process to complete.
   
9. Once the system state backup is finished, click Close.
   That’s it! We’ve completed the Active Directory system state backup.
   
10. Open the File Explorer and navigate to the backup location. The directory structure follows this hierarchy → %DRIVE%\WindowsImageBackup\%SERVERNAME%.
    

Using the Command Line

This time, let’s take the Active Directory system state backup using the command line tool wbadmin.exe.

Open PowerShell of Command Prompt as an administrator.

Type the below command and press Enter. Replace <backup destination> with the valid paths as below.

• The root drive letter (E:)
• The volume GUID (\\?\Volume{ca86176e-0000-0000-0000-100000000000}\)
• A UNC path of the shared folder (\\ServerName\ShareName\)
• I’m choosing the E drive as the backup target in this example:

  wbadmin start backup -systemState -backuptarget:E:

• Wait for the backup process to complete.
  
  

How to Backup Active Directory with Full Server Backup

Full system backups are another way to back up Active Directory. This type of backup dumps the entire system, which can be used for bare-metal restoration should it be needed.

Using the Windows Backup Server Console

1. Open the Windows Server Backup console by running wbadmin.msc or clicking Start → Windows Accessories → Windows Server Backup.
   
2. On the console, click on the “Local Backup” node and click “Backup Once…” under the Actions pane.
   
3. In Backup Options, choose “Different options” and click Next.
   
4. Select “Custom” backup configuration and click Next.
   Note. Choosing the Full server backup option will include all disks. If you plan to back up everything, even non-operating system drives, you can choose this option.
   
5. Select the destination where you want to store the backup and configure any additional backup settings as needed. I’ll choose “Local drives” in this example and click Next.
   
6. Select the backup destination from the dropdown list. Ensure that the backup destination has enough free space. In this example, I choose Drive E as the backup destination and click Next.
   
7. Click Add Items, select “Bare metal recovery”, unselect any external/additional storage devices, and click OK. In this example, I unchecked the drive E from the full backup.
   
8. Click Next.
   
9. Select the destination where you want to store the backup and configure any additional backup settings as needed. I’ll choose “Local drives” in this example and click Next.
   
10. Select the backup destination from the dropdown list. Ensure that the backup destination has enough free space. In this example, I choose Drive E as the backup destination and click Next.
    
11. Review the backup settings and click “Backup” to start the backup process.
    
12. Wait for the backup process to complete and click Close.
    

Using the Command Line

Open PowerShell of Command Prompt as an administrator.

Type the below command and press Enter. Replace <backup destination> with the valid paths as below.

• The root drive letter (E:)
• The volume GUID (\\?\Volume{ca86176e-0000-0000-0000-100000000000}\)
• A UNC path of the shared folder (\\ServerName\ShareName\)

I’m choosing the E drive as the backup target in this example. The -allCritical flag specifies all critical volumes containing the operating system files will be included. This flag is equivalent to selecting Bare metal recovery when using the Windows Server Backup console.

If you need to exclude any files, folders, or volumes, use the -exclude flag.

wbadmin start backup -allCritical -backuptarget:E:

The prompt shows which items will be backed up. In this case, the System Reserved partition and the whole drive C. Press Y and Enter to confirm.

Wait for the backup to complete.

Scheduling an Automatic Active Directory Backup

Taking manual Active Directory backup is not ideal for operations. A truly efficient way to back up the Active Directory server and files is to schedule a regular interval. Performing regular backups is critical to ensure that your data is safe.

Using the built-in backup scheduling feature of the Windows Server Backup console, you can automate the backup process for Active Directory and ensure that your data is backed up regularly and efficiently without requiring manual intervention.

Here’s how you can schedule an automatic Active Directory backup:

1. Open the Windows Server Backup console and click “Backup Schedule” in the right pane.
   
2. Choose “Custom” backup configuration.
   
3. Select the items you want to back up, such as system state or bare metal recovery.
   
4. In the “Specify Backup Time” section, choose the frequency and time of the backup. In this example, I’ll select “Once a day” every “midnight”. Click Next.
   
5. Select the backup destination type and click Next. The options are:
   • Backup to a hard disk that is dedicated for backups (recommended) — Choosing this option will format the hard disk to make it dedicated for backup use only.
   • Back up to a volume — Target a volume not dedicated to backups only.
   • Back up to a shared network folder — The UNC path of a shared folder. This option will delete and overwrite the previous backup with the new one.
     In this example, we’ll choose to back up to a volume.
     
6. Add the backup volume and click Next.
   
7. Review the backup settings and click Finish to save the backup schedule.
   
8. The backup schedule is not created. Click Close.
   

That’s it! The daily backup is now scheduled.

Other Active Directory Backup Options

As mentioned earlier in this post, there are capable third party backup solutions that you can use. Most probably they are not free, but that’s the cost of data security.

Additionally, most servers nowadays are already virtualized with hypervisors such as Hyper-V and VMware. In such environments, another option is to backup the virtual machines containing your Active Directory domain controllers.

If your Active Directory is in an Azure VM, you could utilize the Azure VM Backups.

There’s also the Azure Recovery Services and Azure Backup Server that you can use to backup your on-premises AD server system state to Azure.

Conclusion

In conclusion, backing up your Active Directory is an essential task that every IT administrator should prioritize. Losing Active Directory data can have serious consequences, including data loss, security breaches, and compliance violations.

By following the steps outlined in this blog post, you can ensure that your Active Directory data is properly backed up and secure. Remember to test your backups regularly to ensure they work correctly, and adjust your backup schedule as needed.

With a reliable backup strategy, you can rest assured that your Active Directory data is protected and that your organization is prepared to handle any unexpected events.

Related. How to Restore Domain Controller From Backup?