How important is it to backup the Active Directory domain controller?
You will learn more here.
Many say that if you have multiple domain controllers that are distributed across different geographic locations, then you needn’t take a backup of the Active Directory. Because with multiple DCs you have provided domain fault tolerance.
That is when the simultaneous failure of all DCs tends to 0. And when one of the domain controllers fails then we can quickly deploy a new one on the same site. Then remove the old one using ntdsutil.
But, we have seen many situations where all the domain controllers failed. So it is necessary to take a backup of the AD.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Active Directory related queries.
In this context, we shall look into how to backup active directory domain controller using Windows Server Backup and with PowerShell.
Here is the command that we run to check when the current Active Directory domain controller was backed up:
repadmin /showbackup
Also, we can get the backup status for all the DCs in the domain. For that, we run the below command:
repadmin /showbackup *
Here, we will look into the process to take the backup of the Active Directory.
We make use of the built-in Windows Server Backup tool. When we backup the Domain Controller using WSB, it will create a System State backup. The System State includes the Active Directory database (NTDS.DIT), Group Policy Objects, SYSVOL directory contents, the registry, the IIS metadata, the AD CS database, and other system files and resources. Moreover, this backup is created through the Volume Shadow Copy Service (VSS).
We confirm the installation of Windows Server Backup by running the following command:
Get-WindowsFeature Windows-Server-Backup
In case, if the WSB is not installed, we add it with Powershell by executing the command:
Add-Windowsfeature Windows-Server-Backup –Includeallsubfeature
Or else, we can also install it through "Server Manager -> Features".
Now let us try to take a backup of a domain controller using the Powershell. We are going to store each backup copy in a separate directory so that we can keep multiple levels of AD backup copies. Also, we are setting the date of backup creation as the folder name:
Import-Module ServerManager
[string]$date = get-date -f 'yyyy-MM-dd'
$path=”\\mun-back1\backup\dc1\”
$TargetUNC=$path+$date
$TestTargetUNC= Test-Path -Path $TargetUNC
if (!($TestTargetUNC)){
New-Item -Path $TargetUNC -ItemType directory
}
$WBadmin_cmd = "wbadmin.exe START BACKUP -backupTarget:$TargetUNC -systemState -noverify -vssCopy -quiet"
Invoke-Expression $WBadmin_cmd
We run the PowerShell script. As a result, the wbadmin console appears. It will display the information of the backup process.
If the backup has been successful, you will see the following messages in the log:
The backup operation successfully completed.
The backup of volume (C:) completed successfully.
The backup of the system state successfully completed [01.01.2021 09:52].
We run the below command to check the time of the last DC backup. It must show the current date.
repadmin /showbackup
This article will guide you on how to #backup #active #directory domain controller.
A System State backup generally includes a copy of any installed device #drivers and related files, most of the Windows directory, the #Windows #Registry, the Active Directory configuration (where applicable) and system files under Windows File Protection.
In production it is best practice to have at least 2 domain controllers per domain. If you factor in each child domain and the other domains that could easily scale up fast if you have two in each one.
To Configure Windows Backup Users on a Domain Controller:
1. Expand Active Directory "Users > Computers > Users".
2. Right-click the appropriate user who will be performing backups and click Properties.
3. On the Member Of tab, click Add to add the Backup Operators group to the User.
4. Click OK.