Active Directory & Office 365 Reporting Tool

Active Directory Backup Strategies and Tools (Best Practices). Active Directory stands as a cornerstone of enterprise IT infrastructure, serving as a robust LDAP solution that underpins crucial services like authentication and DNS. The seamless operation of these services is vital for business continuity, making the reliability of Active Directory a critical aspect of IT service delivery. To ensure its uninterrupted functionality, organizations must establish comprehensive backup and disaster recovery strategies and select the appropriate tools.

This article delves into the critical components of Active Directory backup and recovery. From understanding what needs to be backed up to selecting the right tools and implementing testing strategies, we explore the essential aspects of safeguarding this crucial service.

Active Directory Backup Strategy

What to backup in Active Directory

The first thing is to identify what should be backed up. In a scenario when you have a single domain controller (which is not recommended), you should perform a full server backup. To be sure you can perform a bare-metal recovery, if needed.

In case of multiple domain controllers, consider the following:

  • Backing up of system state (critical system components, such as registry, SYSVOL directory and Active Directory database) is enough.
  • Backing up of just one server per physical site is enough, since they are replicating, and all have the same information.
  • In multi-domain environment, backup at least one domain controller from each domain in your forest.

For example, in the below diagram, there is an Active Directory infrastructure with 2 physical sites and 2 domains – root domain domain.local and subdomain child.domain.local.

Here we backup three domain controllers – two from domain.local, since it is located in two sites, and one from child.domain.local.

How often to Backup

This decision depends on your recovery point objective. If it is ok to lose one day of changes written to the domain controller, daily backup works just fine. It is also needed to identify the required backup types. How often to do full backup and incremental backups? Are differential backups needed? The most popular approach is to make full backups weekly and incremental backups daily.

Active Directory Backup Tools to Consider

Usually, systems replicated between multiple servers, such as Active Directory, don’t support the time travel. It means, when domain controller’s virtual machine fails, you cannot simply restore it from snapshot and put it back to production. Each domain controller has Update Sequence Number (USN) which increases every time a new change operation is written to the database. For example, if you have several domain controllers, one of them failed and you restored it using the simple snapshot. Its USN is incorrect (outdated, equal to USN value from the moment snapshot was taken) and the replication is broken (more detailed example could be found here). Additionally, each object inside AD database has its own version, which also should be taken into consideration during backup/restore operations. Therefore, only the tools that perform consistent restore should be used for backing up Active Directory. Luckily, there are available tools, both built-in to Windows Server and provided by third-party vendors.

Take following into consideration:

  • Required options – for example, if your corporate policies require to make full and incremental backups, select the tool that perform incremental backups of Active Directory.
  • Target backup storage – if you want to store backups using tape storages, you need to purchase a third-party solution, since build in Windows Server Backup doesn’t support writing to tapes.
  • Restoration frequency – for regular restoration of deleted objects from Active Directory, choose tool that allows restoration of individual objects without need to restore the whole database. Many enterprise-level third-party backup systems allows restoring individual objects in few clicks, for example, this one and this one
  • Budget – should always be taken into consideration. If your company doesn’t have funds for third-party tools, Windows Server Backup built into the operating system could cover the essential needs.

Active Directory Restoration Process Testing

The golden rule of backing up is to always test the restoration process. The situation in which a system engineer thinks that everything is fine with their backup just because the backup tool does not give errors is very common. Then, when the actual disaster occurs, it appears that the reserve copy is inconsistent, and the restoration is impossible. To avoid such scenarios, it is crucial to test restoration process at least annually. The good practices are:

  • To create a well-documented plan of the restoration process.
  • To have a test infrastructure where you perform the regular restoration tests.
  • To keep Directory Services Restore Mode (DSRM) admin passwords of all domain controllers safe and available.
  • To perform regular restoration tests using different scenarios.

In case you don’t have DSRM admin password, it is better to reset it using NTDSutil tool, as described here, and ensure it is stored in a safe place to be available in case of a disaster.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Active Directory Restore Scenarios

Scenario 1. Failure of the only Domain Controller

If you have only one domain controller, in case of its failure, consider the following:

  • Bare-metal recovery is required.
  • Service outage is expected – unlike other scenarios, restore the server as fast as possible to minimize the impact.
  • The data loss is expected – all changes you made to AD objects since the last backup will be lost.

So ensure that the backups are made frequently (to minimize the data loss), and that there are not too many incremental backups (the more incremental backups were made, the longer the restoration process is).The common approach is to do backup every night with at least weekly full backup.

This scenario should be avoided whenever possible since Active Directory is built for high availability and designed for multi-server infrastructure.

Scenario 2. Failure of Domain Controller in Multi-Server Infrastructure

In case of several domain controllers where one of them fails, there is no need to perform restore from backup. It is more efficient to remove failed server and its metadata from the catalogue and deploy a new server with the same name and IP address. The high-level restoration process is the following:

  1. Check whether failed server owned any Flexible Single Master Operations (FSMO) roles. If it did, transfer the roles to another controller using NTDSutil tool or PowerShell, as described in this article
  2. Remove the failed server and clean-up its metadata (detail process is described here)
  3. Deploy a new virtual machine with the same name and IP address. It is recommended not to change the name and address because domain controllers are often serve as DNS servers, and other machines may have the IP address of the failed domain controller as primary DNS server in their network interface card configuration.
  4. Promote the new server to the domain controller role.

Scenario 3. Restoration of Object Hard deleted from Active Directory

In case some object, such as user, was accidentally removed from the catalogue, restore it from backup. If you use third-party tool for backing up, follow the vendor’s instructions. If you used Windows Server Backup to make backups of Active Directory, use the following high-level restoration process:

  1. Use backup to create the recovery domain controller.
  2. Login to the recovery domain controller using DSRM admin password.
  3. Perform Authoritative restore of the object using NTDSutil tool. The restored state of the object is considered as the most actual state by AD replication, and it is copied to all other domain controllers.
  4. Use Ldifde tool to restore the group membership of the object.

More detailed description is found in this article.

Active Directory Backup Strategies and Tools (Best Practices) Conclusion

This article described the essential elements of Active Directory backup and recovery, highlighting the importance of a well-defined strategy.

Key takeaways include the need to identify what to back up, how often to back up, and which tools to use based on your organization’s unique requirements and budget. Testing strategies and best practices have also been emphasized to ensure a reliable recovery process.

We’ve examined scenarios ranging from the failure of a single domain controller to the restoration of hard-deleted objects in Active Directory. In the next article, we explore more complex disaster recovery scenarios, providing organizations with a comprehensive guide to safeguarding their Active Directory infrastructure. Stay tuned for the next instalment, where we dive deeper into protecting this critical component of enterprise IT.


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Marat M

Marat M

System administrator with 14 years of practical experience. Specializes in Microsoft products such as Exchange Server, Active Directory, Microsoft 365 and Azure.

Leave a comment

Your email address will not be published. Required fields are marked *