Set Up for Active Directory Backup

Contributor

 

I came across the following question regarding Backup Setup for Active Directory.

 

Creating a forest in every location and every forest has 2 DCs and has a 1way trust to Global AD which is in Azure.

 

For the current AD backup, based on their design and current back up. they don't have a 3rd party backup tool. they have a file storage for backup. backup is taken everyday and stored in online and offline storage locations. The backups are stored in the azure cloud as well.

 

So I'm planning to do the system state backup only then the backup path/location would be their file storage and also in VSS. Is this a good setup?

 

 

Active Directory (AD)  is one of the most critical component of any IT infrastructure. In a Windows-based environment, almost all the applications and tools are integrated with Active Directory for authentication, directory browsing, and single sign-on. Due to this heavy dependency, it is necessary to have a well-defined process for AD Backup. Restoring Active Directory Backup should be the LAST option for any Disaster Recovery.

 

As above question got 2 DC's in each forest so for a single Domain Controller failure, the recommended option is to demote the Domain Controller, wait for few hours to replicate the demotion, and then promote it back again. There is no need to restore Active Directory Backup to recover a single Domain Controller.

 

 

The most common and recommended approach for AD Backup is the System State Backup of Domain Controller.

 

A System State Backup of Domain Controller includes following:

  1. Sysvol Active Directory Database and related files.
  2. DNS Zones and records (Only for AD Integrated DNS) System Registry.
  3. Call Registration database of Component Service. System Start up files.

You can use a third party tool if required. However, the Windows Server Backup (WBADMIN) tool that comes bundled with all versions of Windows Servers is just fine for this purpose. Lastly, the recommendation is to take daily scheduled backup.

 

Preferred Backup Pattern in Active Directory & Azure AD

 

One preferred backup pattern is First Full Backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups...and so on.

3 Replies

so for a single Domain Controller failure, the recommended option is to demote the Domain Controller, wait for few hours to replicate the demotion, and then promote it back again. There is no need to restore Active Directory Backup to recover a single Domain Controller.

 


I would not recommend this method. If a single domain controller fails then the better option is to seize roles to a healthy one (if needed)

Transfer or seize FSMO roles - Windows Server | Microsoft Docs

 

then perform cleanup to remove remnants of failed one.

Clean up AD DS server metadata | Microsoft Docs

Step-By-Step: Manually Removing A Domain Controller Server (microsoft.com)

then rebuild failed one from clean install media. Use dcdiag / repadmin tools to verify health `correcting all errors found` before starting `any` operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.

 

 

 

 

@aliat_IMANAMI  we have 40 plus DC’s in few countries. We have 5 Datacenter’s and each have 4 DC’s and others are in some site’s locations.

 

Do we need to backup 1 from each location?   

@AusSupport180 

 

The short, and almost guaranteed answer is: no.

 

It's not about geographical location but about whether you have different forests and/or domains.

 

A really loose guideline is that you want to back up (using Windows Server backup is sufficient for this) each forest and domain, but you only need to do this from one domain controller per forest or domain, not all of them.

 

So, if you have five forests, and within each forest you have just a single domain (meaning the forest and domain are essentially the same), then you only need to perform a backup using a single domain controller from each of the five forests (so, five in total.)

 

Common sense might suggest using a key FSMO role holder like the PDC emulator or avoiding using a remote branch office domain controller as the host to use for taking the backups, but the key message here is that you do not need to take backups from multiple domain controllers within the same domain.

 

For example, if you had a forest in Australia, and that forest had just a single domain, and within that domain there were five domain controllers, you would configure a backup on just one of those five domain controllers, not all of them - even if they're spread out from Sydney to Perth.

 

Cheers,

Lain