There are some tips that can help ensure good Active Directory (AD) backups for domain controllers.
First, administrators should always have a clear picture of which domain controllers to back up. At a minimum, the master and one other domain controller should be backed up in each domain. If there are more than two domain controllers in each domain, ensure each is backed up properly; Active Directory and other system state data is server-hardware dependent, so a backup made on one server cannot be used to restore another AD server.
Next, implement a regular backup schedule for all domain controllers. The typical schedule is to back up Active Directory at least twice within the "tombstone lifetime," which is how long deleted objects are kept in the AD database before being purged. The default tombstone lifetime in Windows Server 2008 and later is 90 days. This allows ample time for changes, such as deletions, to replicate across other domain controllers, so the average backup schedule is roughly a month. However, the actual backup schedule will probably be much higher depending on the tombstone lifetime as well as the complexity and frequency of change in the environment. It's common practice to make daily backups of unique data or critical volumes.
Backups should be marked clearly so administrators can readily distinguish the latest backups for each specific server. AD backup retention should also be a major consideration. Active Directory won't allow restoration of directory objects older than the tombstone lifetime; this is by design to prevent corruption in the AD database. But it also means that backups quickly become obsolete. Since each AD backup can be large, it doesn't take long for backups to take up significant amounts of storage. Organizations can ease storage commitments and costs by removing unnecessary AD backups.
Perform system state backups as a minimum. System state backups include AD content, boot files, system registry, Common Object Model database, and system volume data and other domain controller components. Full server backups can be implemented to perform bare-metal restorations of the domain controllers.
Never save AD backups to the same disk used to store AD components in production. Instead, save backups to a different disk which may be located in the same server, storage array or even an external disk attached to the backup server. The actual choice of backup storage depends on storage options supported by the backup software, but it's critical to avoid a potential single point of failure by saving to a different disk or other media. Although backup copies in off-site locations are always recommended, it's best practice to keep domain controller backups on-site to ensure availability and avoid potential restoration delays.
How to back up Active Directory
Manage Office 365 from Active Directory
How well do you know Active Directory?
Dig Deeper on Microsoft Active Directory Backup and Restore
Related Q&A from Stephen J. Bigelow
VSAN 6.6 and 6.6.1 boast new features, such as vSAN Configuration Assist, integration with vROps and a streamlined upgrade process to improve storage...continue reading
For enterprises that require powerful security and resiliency, vSAN 6.6 presents an array of features, such as encryption and stretched clusters, to ...continue reading
Certain versions of the Linux kernel offer more complete and uniform support for paravirtualization than others due to the open source nature of ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.