Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Active Directory Back Up - The 3-2-1 Backup Rule

Brass Contributor

Full system backup is a good option when the setup is small and bare-metal hardware is used for the Windows system roles, and in this case of failure, hardware requires full system backup and restore. I would advise to go for a full backup periodically (weekly or bi-weekly) and a minimum backup set for each server daily (System State) for only Active directory with keeping the below steps in mind. If your setup on each location is small, I would recommend that you have at least 2 domain controllers on each site.

The 3-2-1 Backup Rule

The 3-2-1 backup rule is an easy-to-remember acronym for a common approach to keeping your data safe in almost any failure scenario. The rule is:

Keep at least three (3) copies of your data, and store two (2) backup copies on different storage media, with one (1) of them located offsite.


· At a minimum, back up two domain controllers in each domain (for large environments, with multiple DCs in each site), one of which should be an operations master role holder (excluding the relative ID (RID) master, which should not be restored). Note that backup data from a domain controller can only be used to restore that domain controller. You cannot use a backup of one domain controller to restore another.


· You should backup your FSMO role holders and use that backup when restoring the whole AD environment after a disaster. However, in case of a single DC failure, you should not restore this DC from backup, instead, you should simply install a fresh new server and promote it as a Domain Controller. This approach ensures AD database integrity and avoids any chances of conflicts that may occur because of the restoration.


· At least one domain controller in a domain must be backed up. It is obvious that if you have just one domain controller in your infrastructure, you should back up this DC. If you have more than one domain controller, you should back up at least one of them. You should back up the domain controller that has FSMO (Flexible Single Master Operation) roles installed. If you have lost all domain controllers, you can recover a primary domain controller (containing FSMO roles), and deploy a new secondary domain controller, replicating changes from the primary DC to the secondary DC.


· A backup that is older than the tombstone lifetime set in Active Directory is not a good backup. At a minimum, perform at least two backups within the tombstone lifetime. The default tombstone lifetime is 60 days. Active Directory incorporates the tombstone lifetime into the backup and restores process as a means of protecting itself from inconsistent data.

0 Replies