Administrators depend on Active Directory (AD) to authenticate users and computers in the Windows environment....
AD helps implement and enforce security through various procedures, such as invoking the installation of new software updates. As AD is the linchpin for most IT services, it's critical for the administrator to protect the AD deployment through a backup process -- and also ensure the backup can be restored quickly and reliably.
How should I back up Active Directory? What backup and restore option should I use?
The backup tool included in Windows Server protects data using various backup approaches, such as normal, copy, incremental, differential or daily backups. However, AD imposes specific backup requirements that demand a "normal" backup type.
Users need a carefully orchestrated Active Directory backup because AD is not a single file or folder, but a combination of data specific to the Active Directory server. This includes system startup (boot) files, system registry files, the Component Object Model class registration database, system volume (SYSVOL) data that covers group policy and scripts, as well as all of the components of the AD database. Taken together, these elements make up the "system state" of the AD domain controller.
Later versions of Windows Server, such as 2008 R2, allow backups of critical volumes, which will back up all volumes that contain system-state files. This includes the volumes with boot files, the Windows OS and registry, SYSVOL, the AD database or the AD log file. In addition to backing up the system state or critical volumes, administrators can also opt to perform a full server backup, which includes a complete image of all system content and may be handy when the server supports other enterprise services.
Administrators can choose from several alternatives for AD restorations. The most obvious choice is full restoration -- using the full server backup to perform a bare-metal restoration of the domain controller, or using the system-state backup to restore an earlier AD system state. Administrators can also determine whether the restoration should be nonauthoritative or authoritative. With a nonauthoritative restoration, the restored domain controller will automatically query and synchronize with other duplicate domain controllers to ensure that the restoration reflects the latest AD state represented by other domain controllers. With an authoritative restoration, the restored domain controller is deemed the latest version, so it would be the restored server that is replicated out to other domain controllers.
Restorations typically require the troubled server to be restarted in the Directory Service Restore Mode, which puts the server into a Windows safe mode. At this point, administrators can select the proper backup for authoritative or nonauthoritative restoration. Select the correct backup for restoration, because the backup media may contain numerous backups from multiple domain controllers. The actual restoration tools and processes can vary depending on the version of Windows Server and the nature of the problem leading to the restoration, so it's vital to review the specific procedures available for an Active Directory backup in your environment.
Versions of Windows Server from 2008 R2 and later also provide an Active Directory Recycle Bin, which preserves data objects and allows fast restoration for deleted data without the need to perform deliberate restores from backups.
Remove unwanted clutter from Active Directory with ADSI Edit
Create stronger Active Directory password policies
Prepare for Active Directory in the cloud
Dig Deeper on Microsoft Active Directory Backup and Restore
Related Q&A from Stephen J. Bigelow
Microsoft offers a free antimalware tool for client and server systems, but administrators need to tune the layers of protection to avoid problems. Continue Reading
Testing Exchange information rights management functionality can be tedious, but Microsoft offers a dedicated cmdlet for Exchange 2016 administrators... Continue Reading
Not every tool is right for the job of backing up data. Find out what limits System Center DPM 2016 protection and which alternatives cover what it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.