In this article, we will take a look on how to backup an Active Directory domain controller running on Windows Server 2016. This backup will allow you to restore both individual AD objects and the entire AD domain in case of problems.
Although Active Directory services are designed with high redundancy (if you deployed several DCs in your company), an AD administrator needs to develop and implement a clear Active Directory backup policy. At least, you need to back up a DCs with FSMO roles and one DC per site. The specific recommendations for the backup strategy are highly dependent on your domain architecture and network structure.
Windows Server 2016 has a built-in Windows Server Backup component that allows you to backup Active Directory.
Using Windows Server Backup to Backup Active Directory
Open the Server Manager on your DC running Windows Server 2016 and select Add Roles and Features. Then click Next several times and set the Windows Server Backup checkbox on the Select features step.
Also, you can install the WSB feature on Windows Server using the PowerShell command:
Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature –IncludeManagementTools
Wait for the installation of Windows Server Backup to complete and click Close.
Now in the Server Manager select Tools > Windows Server Backup.
Right click Local Backup item in the left pane and select Backup Schedule.
On the Select Backup Configuration step select Custom.
On the Select Items for Backup stage press Add Item and select the System State. This is enough to restore an Active Directory domain controller in failure cases.
The System State includes:
- Active Directory database;
- The Sysvol folder (with GPO objects);
- Integrated DNS zones and records;
- Certificate Authority service database;
- System boot files;
- System registry;
- Component Services database.
As a result, you can restore ADDS services on the same server (OS recovery from system state backup on another server is not supported). If you plan to restore the domain controller on another server, you need to select the Bare metal recovery option.
Set a backup schedule. For example, I want to back up AD daily at 12:00 AM.
You can backup your DC to a dedicated backup volume, or a shared network folder. I am using a dedicated volume, select it as a backup Destination Target.
Press Finish to create a backup task.
You can find the created backup task in the Task Scheduler. Browse to the Task Sheduler Library > Microsoft > Windows > Backup and find a task named Microsoft-Windows-WindowsBackup. This task is run NT AuthoritySYSTEM account. If you want to create a DC backup immediately, open the task properties, go to the tab Setting and check the box “Allow task to be run on demand”. Save the changes by pressing OK. Then right click on task and select Run (or wait for the scheduled task to start).
After the backup process is completed, a directory with the name WindowsImageBackup appears on drive E:. Pay attention to the structure of the WindowsImageBackup directory. It contains a directory with the name of the domain controller, which contains the folder named by the backup copy creation time (for example, E:\WindowsImageBackup\dc01\Backup 2020-01-17 180557).
You can find a vhdx file inside this directory. This is a virtual hard disk image file with the backup Windows image of your domain controller. You can manually connect it through Disk Manager and access backup files.
How to Backup AD using Wbadmin and PowerShell?
You can also backup DCs using the wbadmin console utility. For example, to backup the system state of the running Windows Server and save it to a separate disk, run the command:
wbadmin start systemstatebackup -backuptarget:e: -quiet
This example overwrites the contents of the WindowsImageBackup directory on the target drive.
The list of available backup copies on the disk can be displayed as follows:
wbadmin get versions
To delete all old backup copies except the last, run the command:
wbadmin delete backup -keepVersions:1
You can also use the WindowsServerBackup module to backup Active Directory on a domain controller with PowerShell. The following PowerShell script will backup server’s System State to the specified drive:
$WBpolicy = New-WBPolicy Add-WBSystemState -Policy $WBpolicy $WBtarget = New-WBBackupTarget -VolumePath "E:" Add-WBBackupTarget -Policy $policy -Target $WBtarget Start-WBBackup -Policy $WBpolicy
To restore AD in the event of a disaster, you will need SystemState Backup in the root of the local DC drive. When restoring AD, you need to boot the server with the ADDS role in the Directory Services Restore Mode (DSRM).