How to Backup and Restore Active Directory

How to Backup and Restore Active Directory

Why should backup and restoration be performed in Active Directory?

Active Directory (AD) plays an important role in managing the network resources of an organization. It is also responsible for other indispensable processes such as authentication and security. Hence, all the data that is stored has to be backed up on a regular basis, to prevent data from getting lost in case of unforeseeable disasters. In the event of data loss, native tools such as Windows Server Backup can be used to recover any mission-critical data from the backups.

Types of backup in Active Directory

The different types of backup that can be performed in AD are full server backup, system state backup and incremental backup.
In a full server backup, all the data including the operating system, server data, applications and system state are backed up in a single operation. It is considered to be one of the safest and reliable methods.  

In an incremental backup, only the data that has been changed since the last backup or new data which has been added is copied or backed up. This requires much less data when compared to the other types of backup. In a system state backup, all the system state information which includes the OS components that are necessary for proper functioning and operation of a system, gets backed up.

Full server backup

In the full server back up the operating system, server data, applications and system state are all backed up. It also allows the data to be restored to a different piece of hardware. This method can be used for restoring a server to the same or different server, as a whole.

A full backup of the server can be performed using Windows Server Backup.  Since it is not installed by default, it can be installed by following the steps given below.

Installing Windows Server Backup

Open Server Manager and select the Add Roles and Features option.
Launch the Add Roles and Features Wizard and click Next.
In the Installation Type section from the menu on the left, select the default Role-based or Feature-based installation and click Next.
In the Server Selection section, click Next.
In the Server Roles section, click Next.
In the Features section select Windows Server Backup option and click Next.
Click on Install and click Close once the installation is complete.
Performing a full server backup using Windows Server Backup
Once Windows Server Backup has been installed, it can be used to take a full server backup by following the steps given below.
Open Server Manager, select Tools-->Windows Server Backup.
Provide the Backup Operator credentials in the User Account Control dialog box and click Next.
Select Local Backup-->Backup Once from the Action menu.
After the Backup Once wizard is launched, go to the Backup Option section from the menu on the left.
Select Different Options and click Next.
In the Select Backup Configuration section, select the Full Server (recommended) option and click Next.
On the Specify Destination Type section, select Local Drives or Remote Shared Folder and click Next.
On the Select Backup Destination section, select the backup location of your choice. Select a local drive or network share depending on the destination chosen in the previous section.
Select Backup from the confirmation screen.
Click Close upon completion of the backup and close the Windows Server Backup window.

System State Backup

In this backup, only the components that are required to restore the AD are backed up. The system state consists of the following components.
  1. Active Directory Domain Controller
  2. System boot files such as ntldr, ntdetect.
  3. SysVol
  4. Registry
  5. COM+ class registration database
  6. Cluster database
  7. Certificate Server
Hence all the information contained in these components has to be restored in a system state backup.
While the system state backup can be performed in any order, restoration of the system files has to be performed in the following order
  1. Boot files
  2. Sysvol, Certificate Server, Cluster database and COM+ registration database
  3. Active Directory server
  4. Registry

Performing a system state backup using Windows Server Backup

Open Server Manager, select Tools-->Windows Server Backup.
Provide the Backup Operator credentials in the User Account Control dialog box and click Next.
Select Local Backup once from the Action menu.
After the Backup Once wizard is launched, go to the Backup Option section from the menu on the left.
Select Different Options and click Next.
In the Select Backup Configuration section, select the Custom option and click Next.
In the Select Items for Backup screen, select Add Items-->System State and click OK.
In the Specify Destination Type screen, select Local drives or Remote shared folder and click Next.
In the case of backing up to a remote folder, type the path to the shared folder.
In Access Control, choose either Do not inherit or Inherit and click Next.
Provide the user name and password in the Provide User Credentials for Backup dialog box and then click OK.
In the Select Backup Destination screen choose the required backup location. Select a local drive or network depending on the destination chosen in the previous section.
Select Backup from the confirmation screen.
Click Close upon completion of the backup and close Windows Server Backup.

 Types of restoration in Active Directory

Recovery is the process in which data that has been lost is restored using certain methods. Restoration may be classified into two types namely authoritative and non-authoritative.

In authoritative restoration, the domain controller’s (DC) directory is returned to the state in which it was when the backup was done. All the other DCs are then overwritten to match the DC which was restored, which makes sure there are no changes since the backup was done. Hence, this type of restoration is usually done when a change in the directory has to be reversed. One of the major advantages of authoritative restoration is that, only particular objects within the directory can be made authoritative. For example, if an organizational unit was deleted by mistake, it can be made authoritative. As a result, the deleted organizational unit will be replicated to all the other DCs. The current versions of the organizational unit are overwritten by the versions the objects which were restored using information from the other DCs.

The non-authoritative restoration is the default restore mode for AD DS and generally used when the DC fails owing to hardware or software reasons. Here, the DC’s directory is restored from backup and receives information via replication from the other DCs. This information contains the directory changes that were made since the last backup.

Performing restoration in Active Directory

Restoration process in AD can be divided into two main sections. They are
  1. Booting the server in the Directory Services Restore Mode (DSRM)
  2. Recovery of items
  3. Booting in DRSM can be done using the following steps.
  4. Reboot the server.
Once the boot menu is displayed, press F8 to get the advanced options.
From the options, select the Directory Services Restore Mode.
After selecting DRSM, press Enter to reboot the computer in a safe mode.
After rebooting the server in the DRSM mode, the recovery process can be performed using the following steps.
Open Server Manager and run Windows Server Backup.
Select the Recover option from the menu on the right and launch the Recovery wizard.
From the first screen, choose the Backup stored on another location option.
Select the disk and provide the path to the backup location.
Choose the backup data that needs to be restored.
Select the recovery type and the location for recovery.
Click OK and complete the process.
Once the recovery process is over, reboot the server in normal mode.

Best practices for backup and restoration

An organization can choose from any of the above backup and restoration methods and use a combination of them to suit their needs and requirements. However, the steps given below can be followed to ensure that the data is backed up and restored properly and to prevent any undesirable situations.
  1. Use multiple domain controllers to facilitate recovery without having to backup
  2. Backup AD on a daily basis
  3. Enable the AD Recycle Bin to restore deleted objects
  4. Maintain an offsite backup of AD
  5. Use restoration as the last resort for recovery
    • Related Articles

    • A Step-By-Step Walkthrough to Restore Deleted Objects in Active Directory

      How to Restore Deleted Active Directory Objects There's a number of things that one can do to recover deleted AD objects. This article shines light on various methods of restoring deleted AD objects using Microsoft's native offerings. Enable Active ...
    • How to Backup and Restore Group Policy Objects (GPOs)

      Backing Up and Restoring Group Policy Objects GPO's are crucial in maintaining an organization's security outlook. Therefore, it is pivotal to take backups of the GPOs to mitigate any negative effects caused by accidental deletion or modification. ...
    • Enable Active Directory Recycle Bin | PowerShell

      What is Active Directory Recycle Bin? While using Active Directory (AD), administrators tend to accidentally delete objects such as users, computers, groups or organizational units (OUs). This may cause complications in the network functionality and ...
    • How to check Active Directory Replication - Explained

      How to Check Active Directory Replication Active Directory replication is a feature that allows the Domain Controllers to share and update the directory data across the forest. This ensures that any change made on a domain controller is propagated to ...
    • How to configure GPO in Active Directory at Site, Domain and OU levels

      Introduction Active Directory network multiplies over time and it may become incommodious to manage. There is a myriad of things that need to be controlled such as security permissions, software installation, desktop settings for users and computers, ...