Problem solve Get help with specific problems with your technologies, process and projects.

Diamonds are forever, but not Active Directory backups

No matter how successful a backup turns out, it isn't permanent under Active Directory if you're using the Windows backup utility to back up a domain controller in a replicated environment.

Most systems administrators have the attitude that a backup is a backup. Once you've got a successful backup, you...

can restore from it months or even years later, if need be. In fact, that's the principle behind saving old backup copies as a reliability feature under backup schemes such as Grandfather-Father-Son or Tower of Hanoi.

But no matter how successful a backup is, it isn't permanent under Active Directory if you're using the Windows backup utility to back up a domain controller in a replicated environment. Under these circumstances, your backup won't work beyond the tombstone lifetime setting for the enterprise. The default value of the tombstone lifetime is 60 days. If the system state backup of Active Directory or the domain controller is older than that, you have a problem.

Apparently, Microsoft's reasoning is that because the system state can change so frequently, an Active Directory backup in a replicated environment will eventually be out of sync with the replicas. That may well be true, but that 60-day default value often presents storage administrators with a nasty surprise when they find their backup not working.

Of course, you should make backups more often than every 60 days. However the tombstone lifetime setting "feature" can still come back to haunt you if you have to use an older backup (because the more recent ones have been corrupted). The same feature can also be a problem on computers that are built, and have software installed, at a staging site and then are shipped to another location to be used. If the process of getting the computer installed and running takes more than 60 days, you have a problem right from the very get-go.

If, however, every server in the domain has been destroyed, you can use an older backup to restore one server and then replicate that to the other servers in the domain. Microsoft discusses this situation, as well as how to set the default value of the tombstone lifetime for more than 60 days, in an online article Useful shelf life of a system-state backup of Active Directory.

Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years he has been a freelance writer specializing in issues related to storage and storage management.

This article originally appeared on

This was last published in February 2006

Dig Deeper on Microsoft Active Directory Backup and Restore

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.