JumalaSika ltd - Fotolia

What are the guidelines for a better Active Directory backup?

Administrators should have a regular Active Directory backup schedule and be sure to remove outdated backups to avoid storage issues.

There are some tips that can help ensure good Active Directory (AD) backups for domain controllers.

First, administrators should always have a clear picture of which domain controllers to back up. At a minimum, the master and one other domain controller should be backed up in each domain. If there are more than two domain controllers in each domain, ensure each is backed up properly; Active Directory and other system state data is server-hardware dependent, so a backup made on one server cannot be used to restore another AD server.

Next, implement a regular backup schedule for all domain controllers. The typical schedule is to back up Active Directory at least twice within the "tombstone lifetime," which is how long deleted objects are kept in the AD database before being purged. The default tombstone lifetime in Windows Server 2008 and later is 90 days. This allows ample time for changes, such as deletions, to replicate across other domain controllers, so the average backup schedule is roughly a month. However, the actual backup schedule will probably be much higher depending on the tombstone lifetime as well as the complexity and frequency of change in the environment. It's common practice to make daily backups of unique data or critical volumes.

Backups should be marked clearly so administrators can readily distinguish the latest backups for each specific server. AD backup retention should also be a major consideration. Active Directory won't allow restoration of directory objects older than the tombstone lifetime; this is by design to prevent corruption in the AD database. But it also means that backups quickly become obsolete. Since each AD backup can be large, it doesn't take long for backups to take up significant amounts of storage. Organizations can ease storage commitments and costs by removing unnecessary AD backups.

Perform system state backups as a minimum. System state backups include AD content, boot files, system registry, Common Object Model database, and system volume data and other domain controller components. Full server backups can be implemented to perform bare-metal restorations of the domain controllers.

Never save AD backups to the same disk used to store AD components in production. Instead, save backups to a different disk which may be located in the same server, storage array or even an external disk attached to the backup server. The actual choice of backup storage depends on storage options supported by the backup software, but it's critical to avoid a potential single point of failure by saving to a different disk or other media. Although backup copies in off-site locations are always recommended, it's best practice to keep domain controller backups on-site to ensure availability and avoid potential restoration delays.

Next Steps

How to back up Active Directory

Manage Office 365 from Active Directory

How well do you know Active Directory?

Dig Deeper on Windows systems and network management