Set Up for Active Directory Backup

%3CLINGO-SUB%20id%3D%22lingo-sub-2662303%22%20slang%3D%22en-US%22%3EActive%20Directory%20Backup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2662303%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3EI%20came%20across%20the%20following%20question%20regarding%20Backup%20Setup%20for%20Active%20Directory.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3E%E2%80%9C%3CSTRONG%3ECreating%20a%20forest%20in%20every%20location%20and%20every%20forest%20has%202%20DCs%20and%20has%20a%201way%20trust%20to%20Global%20AD%20which%20is%20in%26nbsp%3B%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22q-inline%22%3E%3CA%20title%3D%22bit.ly%22%20href%3D%22https%3A%2F%2Fbit.ly%2F2XtXrh9%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure.%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSTRONG%3EFor%20the%20current%20AD%20backup%2C%20based%20on%20their%20design%20and%20current%20back%20up.%20they%20don't%20have%20a%203rd%20party%20backup%20tool.%20they%20have%20a%20file%20storage%20for%20backup.%20backup%20is%20taken%20everyday%20and%20stored%20in%20online%20and%20offline%20storage%20locations.%20The%20backups%20are%20stored%20in%20the%20azure%20cloud%20as%20well.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3E%3CSTRONG%3ESo%20I'm%20planning%20to%20do%20the%20system%20state%20backup%20only%20then%20the%20backup%20path%2Flocation%20would%20be%20their%20file%20storage%20and%20also%20in%20VSS.%20Is%20this%20a%20good%20setup%3F%3C%2FSTRONG%3E%E2%80%9D%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%20class%3D%22q-inline%22%3E%3CA%20title%3D%22bit.ly%22%20href%3D%22https%3A%2F%2Fbit.ly%2F3AJfwGa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EActive%20Directory%20(AD)%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bis%20one%20of%20the%20most%20critical%20component%20of%20any%20IT%20infrastructure.%20In%20a%20Windows-based%20environment%2C%20almost%20all%20the%20applications%20and%20tools%20are%20integrated%20with%20Active%20Directory%20for%20authentication%2C%20directory%20browsing%2C%20and%20single%20sign-on.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3EDue%20to%20this%20heavy%20dependency%2C%20it%20is%20necessary%20to%20have%20a%20well-defined%20process%20for%20AD%20Backup.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3ERestoring%20Active%20Directory%20Backup%20should%20be%20the%20LAST%20option%20for%20any%20Disaster%20Recovery.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3EAs%20above%20question%20got%202%20DC's%20in%20each%20forest%20so%20for%20a%20single%20Domain%20Controller%20failure%2C%20the%20recommended%20option%20is%20to%20demote%20the%20Domain%20Controller%2C%20wait%20for%20few%20hours%20to%20replicate%20the%20demotion%2C%20and%20then%20promote%20it%20back%20again.%20There%20is%20no%20need%20to%20restore%20Active%20Directory%20Backup%20to%20recover%20a%20single%20Domain%20Controller.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSTRONG%3EThe%20most%20common%20and%20recommended%20approach%20for%20AD%20Backup%20is%20the%26nbsp%3BSystem%20State%20Backup%20of%20Domain%20Controller.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3EA%20System%20State%20Backup%20of%20Domain%20Controller%20includes%20following%3A%3C%2FSPAN%3E%3C%2FP%3E%3COL%20class%3D%22q-box%22%3E%3CLI%3E%3CSPAN%3ESysvol%20Active%20Directory%20Database%20and%20related%20files.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3EDNS%20Zones%20and%20records%20(Only%20for%20AD%20Integrated%20DNS)%20System%20Registry.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%3ECall%20Registration%20database%20of%20Component%20Service.%20System%20Start%20up%20files.%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FOL%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3EYou%20can%20use%20a%20third%20party%20tool%20if%20required.%20However%2C%20the%20Windows%20Server%20Backup%20(WBADMIN)%20tool%20that%20comes%20bundled%20with%20all%20versions%20of%20Windows%20Servers%20is%20just%20fine%20for%20this%20purpose.%20Lastly%2C%20the%20recommendation%20is%20to%20take%20daily%20scheduled%20backup.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSTRONG%3EPreferred%20Backup%20Pattern%20in%20Active%20Directory%20%26amp%3B%20Azure%20AD%3C%2FSTRONG%3E%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%3CSPAN%3EOne%20preferred%20backup%20pattern%20is%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EFirst%20Full%20Backup%20%26gt%3B%2014%20Incremental%20Backups%20%26gt%3B%201%20Full%20backup%20%26gt%3B%2014%20Incremental%20Backups%20%26gt%3B%201%20Full%20backup%20%26gt%3B%2014%20Incremental%20Backups...and%20so%20on.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2662303%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EStorage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2662990%22%20slang%3D%22en-US%22%3ERe%3A%20Set%20Up%20for%20Active%20Directory%20Backup%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2662990%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CSPAN%3Eso%20for%20a%20single%20Domain%20Controller%20failure%2C%20the%20recommended%20option%20is%20to%20demote%20the%20Domain%20Controller%2C%20wait%20for%20few%20hours%20to%20replicate%20the%20demotion%2C%20and%20then%20promote%20it%20back%20again.%20There%20is%20no%20need%20to%20restore%20Active%20Directory%20Backup%20to%20recover%20a%20single%20Domain%20Controller.%3C%2FSPAN%3E%3CP%20class%3D%22q-text%20qu-display--block%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EI%20would%20not%20recommend%20this%20method.%20If%20a%20single%20domain%20controller%20fails%20then%20the%20better%20option%20is%20to%20seize%20roles%20to%20a%20healthy%20one%20(if%20needed)%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Ftroubleshoot%2Fwindows-server%2Fidentity%2Ftransfer-or-seize-fsmo-roles-in-ad-ds%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETransfer%20or%20seize%20FSMO%20roles%20-%20Windows%20Server%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Ethen%20perform%20cleanup%20to%20remove%20remnants%20of%20failed%20one.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-ds%2Fdeploy%2Fad-ds-metadata-cleanup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EClean%20up%20AD%20DS%20server%20metadata%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fitops-talk-blog%2Fstep-by-step-manually-removing-a-domain-controller-server%2Fba-p%2F280564%22%20target%3D%22_blank%22%3EStep-By-Step%3A%20Manually%20Removing%20A%20Domain%20Controller%20Server%20(microsoft.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Ethen%20rebuild%20failed%20one%20from%20clean%20install%20media.%20Use%20dcdiag%20%2F%20repadmin%20tools%20to%20verify%20health%20%60correcting%20all%20errors%20found%60%20before%20starting%20%60any%60%20operations.%20Then%20stand%20up%20the%20new%20one%2C%20patch%20it%20fully%2C%20license%20it%2C%20join%20existing%20domain%2C%20add%20active%20directory%20domain%20services%2C%20promote%20it%20also%20making%20it%20a%20GC%20(recommended)%2C%20transfer%20FSMO%20roles%20over%20(optional)%2C%20transfer%20pdc%20emulator%20role%20(optional)%2C%20use%20dcdiag%20%2F%20repadmin%20tools%20to%20again%20verify%20health.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

 

I came across the following question regarding Backup Setup for Active Directory.

 

Creating a forest in every location and every forest has 2 DCs and has a 1way trust to Global AD which is in Azure.

 

For the current AD backup, based on their design and current back up. they don't have a 3rd party backup tool. they have a file storage for backup. backup is taken everyday and stored in online and offline storage locations. The backups are stored in the azure cloud as well.

 

So I'm planning to do the system state backup only then the backup path/location would be their file storage and also in VSS. Is this a good setup?

 

 

Active Directory (AD)  is one of the most critical component of any IT infrastructure. In a Windows-based environment, almost all the applications and tools are integrated with Active Directory for authentication, directory browsing, and single sign-on. Due to this heavy dependency, it is necessary to have a well-defined process for AD Backup. Restoring Active Directory Backup should be the LAST option for any Disaster Recovery.

 

As above question got 2 DC's in each forest so for a single Domain Controller failure, the recommended option is to demote the Domain Controller, wait for few hours to replicate the demotion, and then promote it back again. There is no need to restore Active Directory Backup to recover a single Domain Controller.

 

 

The most common and recommended approach for AD Backup is the System State Backup of Domain Controller.

 

A System State Backup of Domain Controller includes following:

  1. Sysvol Active Directory Database and related files.
  2. DNS Zones and records (Only for AD Integrated DNS) System Registry.
  3. Call Registration database of Component Service. System Start up files.

You can use a third party tool if required. However, the Windows Server Backup (WBADMIN) tool that comes bundled with all versions of Windows Servers is just fine for this purpose. Lastly, the recommendation is to take daily scheduled backup.

 

Preferred Backup Pattern in Active Directory & Azure AD

 

One preferred backup pattern is First Full Backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups > 1 Full backup > 14 Incremental Backups...and so on.

1 Reply

so for a single Domain Controller failure, the recommended option is to demote the Domain Controller, wait for few hours to replicate the demotion, and then promote it back again. There is no need to restore Active Directory Backup to recover a single Domain Controller.

 


I would not recommend this method. If a single domain controller fails then the better option is to seize roles to a healthy one (if needed)

Transfer or seize FSMO roles - Windows Server | Microsoft Docs

 

then perform cleanup to remove remnants of failed one.

Clean up AD DS server metadata | Microsoft Docs

Step-By-Step: Manually Removing A Domain Controller Server (microsoft.com)

then rebuild failed one from clean install media. Use dcdiag / repadmin tools to verify health `correcting all errors found` before starting `any` operations. Then stand up the new one, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health.