Grafvision - Fotolia

How to plan an Active Directory backup and restoration

I need to back up Active Directory, but I'm not sure which method to use. What are my options for a painless backup and restoration effort?

Administrators depend on Active Directory (AD) to authenticate users and computers in the Windows environment....

AD helps implement and enforce security through various procedures, such as invoking the installation of new software updates. As AD is the linchpin for most IT services, it's critical for the administrator to protect the AD deployment through a backup process -- and also ensure the backup can be restored quickly and reliably.

How should I back up Active Directory? What backup and restore option should I use?         

The backup tool included in Windows Server protects data using various backup approaches, such as normal, copy, incremental, differential or daily backups. However, AD imposes specific backup requirements that demand a "normal" backup type.

Users need a carefully orchestrated Active Directory backup because AD is not a single file or folder, but a combination of data specific to the Active Directory server. This includes system startup (boot) files, system registry files, the Component Object Model class registration database, system volume (SYSVOL) data that covers group policy and scripts, as well as all of the components of the AD database. Taken together, these elements make up the "system state" of the AD domain controller.

Later versions of Windows Server, such as 2008 R2, allow backups of critical volumes, which will back up all volumes that contain system-state files. This includes the volumes with boot files, the Windows OS and registry, SYSVOL, the AD database or the AD log file. In addition to backing up the system state or critical volumes, administrators can also opt to perform a full server backup, which includes a complete image of all system content and may be handy when the server supports other enterprise services.

Administrators can choose from several alternatives for AD restorations. The most obvious choice is full restoration -- using the full server backup to perform a bare-metal restoration of the domain controller, or using the system-state backup to restore an earlier AD system state. Administrators can also determine whether the restoration should be nonauthoritative or authoritative. With a nonauthoritative restoration, the restored domain controller will automatically query and synchronize with other duplicate domain controllers to ensure that the restoration reflects the latest AD state represented by other domain controllers. With an authoritative restoration, the restored domain controller is deemed the latest version, so it would be the restored server that is replicated out to other domain controllers.

Restorations typically require the troubled server to be restarted in the Directory Service Restore Mode, which puts the server into a Windows safe mode. At this point, administrators can select the proper backup for authoritative or nonauthoritative restoration. Select the correct backup for restoration, because the backup media may contain numerous backups from multiple domain controllers. The actual restoration tools and processes can vary depending on the version of Windows Server and the nature of the problem leading to the restoration, so it's vital to review the specific procedures available for an Active Directory backup in your environment.

Versions of Windows Server from 2008 R2 and later also provide an Active Directory Recycle Bin, which preserves data objects and allows fast restoration for deleted data without the need to perform deliberate restores from backups.

Next Steps

Remove unwanted clutter from Active Directory with ADSI Edit

Create stronger Active Directory password policies

Prepare for Active Directory in the cloud

Dig Deeper on Windows systems and network management