Active Directory Backup Guide

Active Directory (AD) is a Microsoft proprietary directory service developed for Windows domain networks. It was first introduced in Windows Server 2000 for centralized domain management.

It is now included in all subsequent Windows Server operating systems, enabling network administrators to create and manage domains, users, objects, privileges, and access within a network.

AD is great at managing traditional on-premises Microsoft infrastructure but not cloud environments. Microsoft cloud infrastructure uses Azure Active Directory, which serves the same purposes as its on-premises counterpart. Active Directory and Azure Active Directory are distinct but can work together to some degree if your organization has a hybrid deployment (on-premises and cloud).

The AD layout follows a tiered structure made up of domains, trees, and forests. A domain is a group of objects (such as users or devices) sharing the same AD database. A tree is a collection of domains, and a forest is a collection of trees. The main Active Directory service is Active Directory Domain Services (AD DS), which is part of the Windows Server operating system. The servers that run AD DS are called Domain Controllers (DCs). Some organizations have multiple DCs, and each one has a copy of the directory for the entire domain. To ensure that the DCs stay up to date, changes made to the directory on one DC such as change of password are also replicated to the other DCs.

The Active Directory database (directory) has a hierarchical tree-like structure and contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers, and shared folders. The Ntds.dit file is used to store the AD database. The database is divided into several sections that contain different types of information—a schema partition (which determines the AD database design), configuration partition (information about AD structure), and domain names context (users, groups, printer objects). Active Directory is tightly integrated with Windows protected system files, System Registry of a domain controller, Sysvol directory, COM+ Class Registration Database, and cluster service information. When planning for a backup strategy, it is important to consider such integration, especially because of the immediate impact it has on the AD.

Do you need to back up the active directory?

Active Directory is one of the most important components in any Windows network. Having no backup strategy whatsoever could put the entire organization at risk. Its best practice is to have multiple active directory domain controllers with fail-over functionalities so that when one fails, you would still be able to recover even without a backup. However, having multiple domain controllers is not enough justification to not do a backup. You should still be doing a backup of the active directory whether you have multiple domain controllers or not. Multiple domain controllers can fail at once, accidental or deliberate deletion of all the accounts or critical organizational units (OU) can occur, entire database corruption can occur, viruses, and ransomware or some other disaster could wipe out all domain controllers. In such a situation, you would need to restore it from a backup. This is why you need to backup.

You probably don’t need to back up every single domain controller, to get a good backup of the AD. You only really should have to back up one of the domain controllers. If your domain controller crashes, your network and by extension, business activities come to a halt. Although active directory services are designed with high redundancy (if you deployed several DCs in your network). It’s therefore important to develop and implement a clear active directory backup policy. If you have multiple DCs running, you need to back up at least one of them.  The ideal DC to backup should be the one running the Flexible Single Master Operation (FSMO ) role. With a good backup and recovery strategy implementation, your organization can easily recover after your domain controllers crash.

If the Active Directory Domain Controller (AD DC) becomes unavailable for whatever reason, then users cannot log in and systems cannot function properly, which can cause disruption to business activities. That’s why backing up your Active Directory is important. In this article, we will show you how to backup an Active Directory domain controller running on Windows Server 2019. Before we begin we will take a look at a concept known as System State backup and how it affects Active Directory data.

System State backup

Microsoft Windows Server offers the possibility to perform a ‘Full’ backup or a ‘System State’ backup. A Full backup makes a copy of the system drives of a physical or a virtual machine, including applications, operating systems, and even the System State. This backup can be used for bare metal recovery—this allows you to easily reinstall the operating system and use the backup to recover.

System State backup on the other hand creates a backup file for critical system-related components. This backup file can be used to recover critical system components in case of a crash. Active Directory is backed up as part of the System State on a domain controller whenever you perform a backup using Windows Server Backup, Wbadmin.exe, or PowerShell. For the purpose of this guide, we will be using System State backup because it allows us to backup only the components needed to restore Active Directory. However note that Microsoft does not support restoring a System State backup from one server to another server of a different model, or hardware configuration. The System State backup is best suited for recovering Active Directory only on the same server.

As described later in this guide, Windows Server Backup must be installed through features in Server Manager before you can use it to back up or recover your server. The type of backup you select for your domain controllers will depend on the frequency of changes to Active Directory and the data or applications that might be installed on the domain controller. The bare minimum you need to back up to protect essential Active Directory data on a domain controller is the System State. The System State includes the following list plus some additional items depending on the roles that are installed:

  • Domain controller: Active Directory DC database files (NTDS.DIT), boot files & system protected files, COM+ class registration database, registry, system volume (SYSVOL)
  • Domain member: Boot files, COM+ class registration database, registry
  • A machine running cluster services: Additionally backs up cluster server metadata
  • A machine running certificate services: Additionally backs up certificate data

In addition, System State backups will back up Active Directory-integrated DNS zones but will not back up file-based DNS zones. File-based DNS zones must be backed up as part of a volume-level backup, such as a critical volume backup or full server backup. All the above backup types can be run manually on-demand, or they can be scheduled using Windows Server Backup. You can use either Windows Server backup or Wbadmin.exe to perform a System State backup of a domain controller to back up Active Directory. Microsoft recommends using either a dedicated internal disk or an external removable disk such as a USB hard disk to perform the backups.

Backup operators do not have the privileges required to schedule backups. You must have administrative rights to be able to schedule a System State backup or restore. A System State backup is particularly important for disaster recovery purposes as it eliminates the need to reconfigure Windows back to its original state before the system failure occurred. It is important that you always have a recent backup of your System State. They may require you to perform regular System State backups to increase your level of protection. We recommended that you perform System State backups before and after any major change is made to your server.

Before going ahead with the backup process, you need to take note of the following initial steps:

  1. It is important that you have the necessary amount of storage space to accommodate the backup you are about to perform.
  2. If you’re going to be backing up while the applications that produce the data are still running (which is usually the case), you need to configure the Volume Shadow Copy Service, also known as Volume Snapshot Service (VSS) on the drive for the backup to be successful. This service helps to create backup copies or snapshots of computer files or volumes, even when they are in use.
  3. You need to install the Windows Server Backup feature if you haven’t done this yet. Windows Server 2019 just like previous editions, comes with the Windows Server Backup feature that helps to perform Active Directory database backups and restores. Now we will go through the above steps in detail.

Configure the Volume Shadow Copy Service (VSS)

It is important to ensure that the AD database is backed up in a way that preserves database consistency. One way to preserve consistency is to back up the AD database when the server is in a powered-off state. However, backing up the Active Directory server in a powered-off state may not be a good idea if the server is operating in 24/7 mode.

For this reason, Microsoft recommends the use of Volume Shadow Copy Service (VSS) to back up a server running Active Directory. VSS is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. VSS writers create a snapshot that freezes the System State until the backup is complete to prevent modifying active files used by Active Directory during a backup process. In this way, it is possible to back up a running server without affecting its performance. For this guide, we are going to show you how to change the Shadow Copy size limit configuration on the volume where we are going to store the AD database.

1. Press a combination of Win+X on your keyboard to open the Disk Manager. Select the partition where the server is installed, then right-click on it and click on Properties. right-click on it and click on Properties

2. Go to the Shadow Copies tab and then click on Enable as shown on the image below.

Shadow Copies tab

3. In the next window, click Yes to confirm that you want to enable shadow copies as shown below.

confirm that you want to enable shadow copies

4. After confirmation, you’ll see a restore point created in the selected partition. Click on Settings to continue.

restore point created in the selected partition

5. In the Settings screen shown below, under Maximum size, select No limit. Once completed click the OK button, and that does it for this section—configure the Volume Shadow Copy Service (VSS).

under Maximum size, select No limit

Install the Windows Server backup feature

Windows Server Backup is a utility provided by Microsoft with Windows Server 2008 and later editions. It replaced the NTBackup utility which was built into the Windows Server 2003. Windows Server Backup is a feature that is installable in Windows Server 2019 just like in other previous editions. So if you haven’t used the backup feature yet, you will likely have to install it first. The way to install this feature is through the Server Manager.

1. Open the Server Manager console as shown in the image below.

Server Manager console

2. Go to Local Server >> Manage tab >> and click on the Add Roles and Features as seen in the image below. This will open the Add Roles and Features Wizard.

Go to Local Server

3, In the Select installation type screen, select the Role-based or feature-based installation option and click Next. Select installation type

4. In the next screen called Select destination server, you will be required to select the server on which you want to install roles and features. Windows will automatically display the server pool. In this case, we are going to select the local server, which is WD2K19-DC01-mylablocal.

Select destination server

5. In the Select server roles screen, you are required to select the roles to install on the server. Since we are installing a feature, you can ignore this section and continue to the next screen. Click Next to continue.

Select server roles

6. In the Select features screen below, scroll down to the Windows Server Backup feature, and select it as seen in the image below. Click Next to continue.

Select features

7. In the Confirm installation selections screen, make sure that the Windows Server Backup feature is on the screen and click on the Install button to begin the installation.

Confirm installation selections

The Windows Server Backup feature will begin to install on your local server. Once the installation is completed, click the Close button to close the console.

click the Close button to close the console

Backup the Active Directory database

1. Now go to the Server Manager and click on Tools >> Windows Server Backup, in order to open it. You can also open this console by running the command wbadmin.msc on the Windows Run (Ctrl+R). Once it opens up, you’ll be able to see the scheduled and last backup status (unless this is the first time you’re doing this.)

go to the Server Manager

2. Once the server backup opens, click on Backup Once to initiate a manual AD database backup. Although you can also create automatic scheduled backups by clicking Backup schedule, for this guide we are going to create a manual backup.

click on Backup Once to initiate a manual AD database backup

3. Under Backup Options select Different options and click on the Next button This option is used where there is no scheduled backup.

select Different options

4. In the Select Backup Configuration screen, you have two options:

    • Full Server backs up all server data, applications, and System State
    • Custom lets you choose what you want to back up.

Since we just want to back up the active directory, we choose the second option. So select Custom and click Next.

Select Backup Configuration - custom

5. In the Select Items for Backup screen, specify the items that you want to include in the backup. In this backup, we are going to choose the System State Backup item. To do this, click on the Add items button >> select System State option >> and click on the Ok button to complete the process.

Select Items for Backup

Select Items for Backup - system state

6. Now we are going to enable the Volume Shadow Copy Service for this backup item. Doing this prevents AD data from being modified while the backup is in progress. To enable VSS, click on Advanced Settings >> VSS Settings >> Select VSS Full Backup, and click Ok. The VSS Full Backup is the recommended option if it is your first backup, and you are not using any third-party backup tool. This option allows you to create a backup of all the files. It is also the preferred method for incremental backups, as it does not affect the sequence of backup. enable VSS enable VSS full backup

7. In the next screen, you would need to specify the backup destination type — Local drives or Remote shared folder. For the purpose of this demonstration, we are using a local hard drive to store the backup. So choose Local drives and click Next.

specify the backup destination type

8. In the Select Backup Destination screen you can choose the actual partition where you want to store the backup. Once you are done, click Next to proceed to the next screen.

Select Backup Destination

9. The Confirmation screen lets you double-check that all backup parameters are correctly configured. Once you are good to go, click the Backup button. The backup should take some time depending on the size of the domain controller server. Once the backup is successfully completed, you can close the Backup Wizard.

The Confirmation screen

If you closed the Backup Wizard without waiting for the last message status, the backup will continue to run in the background. You can also confirm the status and completion results of the backup from the webadmin console (or Windows Server Backup Feature). The console will display a message with information from this backup (and others).

Active Directory backup automation

There are a number of tools available to manage backup and restore functions for applications or entire disks and these can help you save time with backing up Active Directory. Such systems can also be used to replicate and migrate the objects in a domain controller.

ManageEngine AD360 (FREE TRIAL)

An example of an Active Directory backup system can be found in ManageEngine AD360. ManageEngine AD360

The Standard edition of this bundle includes a tool called RecoveryManager Plus. The advantage of this tool is that it is integrated into a package of tools to manage Active Directory, so you get all of your AD management systems in one console.

ManageEngine RecoveryManager Plus Backup Settings

AD360 is able to manage both cloud and on-premises implementations of Active Directory. This is a software bundle and you install it on Windows Server. It is also available from the marketplace of AWS and Azure – these are not SaaS platforms but software packages that you run in your cloud account space.

Why do we recommend it?

ManageEngine AD360 is a collection of many Active Directory-related tools offered by ManageEngine – there are seven in total. Among this list is ADAudit Plus package, which provides controls that prevent unauthorized changes to AD objects. Another unit, ADManager Plus lets you assess, improve, and monitor the efficiency and security of user accounts. Recovery Manager Plus is another component and this manages the backup of Active Directory instances.

Who is it recommended for?

ManageEngine AD360 is a comprehensive package of everything you will need to manage and control Active Directory. The package is very large and you might not need all of the components. If you are only interested in the backup and recovery services of AD360, you might prefer to just buy RecoveryManager Plus.

Pros:

  • Dramatically improves the usability of Active Directory, making routine tasks easier to perform and automate
  • Can monitor changes across both local and cloud-based AD environments
  • Supports SSO and MFA, great for securing your access management with multiple layers of authentication
  • Extensive 60-day trial period

Cons:

  • Can take time to fully explore the entire platform

The best way to understand the Active Directory backup capabilities of AD360 is to access it on a 30-day free trial.

ManageEngine 360 Start 30-day FREE Trial

Active Directory backup FAQs

Is it necessary to backup Active Directory?

It is very important to backup Active Directory. The system won’t back itself up without your intervention. However, there is a native backup system built into Windows Server, which makes the process of saving a copy of Active Directory easy.

What are the different types of backup in Active Directory?

You can run a full backup to take a copy of the entire Active Directory database and then repeat this process periodically on a schedule to create rollback points. This is the system that is available in the native backup service in Windows Server, which is called Volume Shadow Copy Service (VSS). It is more efficient to take periodical full backups and then perform incremental or differential backups more frequently. These just extract the objects that have changed since the last backup and so are much quicker and take up less space. However, you need a third-party tool to implement these strategies because they are not available in Windows Server VSS.

How does Windows Server backup work?

Windows Server Backup uses a method called Volume Shadow Copy Service (VSS). this gives you the option to backup the operating system and all of the contents of the disk This is called a Bare Metal Backup and it will copy everything on the computer, not just Active Directory. The other option is called System State Backup. This copies important system files as well as the items you select. This is the option to choose in order to back up Active Directory.

Conclusion

We have explained in detail how to back up the Active Directory using the Windows Server backup. We used the manual “Backup Once” approach, but of course, you can also configure a “Backup Schedule,” to run periodic AD backup tasks.

As already mentioned, the Windows Server Backup feature is an easy to use free tool that is bundled in most Windows Server OS, and it can work with VSS to perform Full or System State backups. However, there are also lots of third party Active Directory backup tools out there that you can use. In fact, almost every enterprise-level backup service should be capable of backing up Active Directory with little to no difficulty. The difference between all those tools lies mostly in the way some of them provide more capabilities, especially when it comes to backing up and restoring the Active Directory.