Active Directory (AD) plays an important role in managing the network resources of an organization. It is also responsible for other indispensable processes such as authentication and security. Hence, all the data that is stored has to be backed up on a regular basis, to prevent data from getting lost in case of unforeseeable disasters. In the event of data loss, native tools such as Windows Server Backup can be used to recover any mission-critical data from the backups.
Types of backup in Active Directory
The different types of backup that can be performed in AD are full server backup, system state backup and incremental backup.
In a full server backup, all the data including the operating system, server data, applications and system state are backed up in a single operation. It is considered to be one of the safest and reliable methods.
In an incremental backup, only the data that has been changed since the last backup or new data which has been added is copied or backed up. This requires much less data when compared to the other types of backup. In a system state backup, all the system state information which includes the OS components that are necessary for proper functioning and operation of a system, gets backed up.
Full server backup
In the full server back up the operating system, server data, applications and system state are all backed up. It also allows the data to be restored to a different piece of hardware. This method can be used for restoring a server to the same or different server, as a whole.
A full backup of the server can be performed using Windows Server Backup. Since it is not installed by default, it can be installed by following the steps given below.
Installing Windows Server Backup
Open Server Manager and select the Add Roles and Features option.
Launch the Add Roles and Features Wizard and click Next.
In the Installation Type section from the menu on the left, select the default Role-based or Feature-based installation and click Next.
In the Server Selection section, click Next.
In the Server Roles section, click Next.
In the Features section select Windows Server Backup option and click Next.
Click on Install and click Close once the installation is complete.
Performing a full server backup using Windows Server Backup
Once Windows Server Backup has been installed, it can be used to take a full server backup by following the steps given below.
Open Server Manager, select Tools-->Windows Server Backup.
Provide the Backup Operator credentials in the User Account Control dialog box and click Next.
Select Local Backup-->Backup Once from the Action menu.
After the Backup Once wizard is launched, go to the Backup Option section from the menu on the left.
Select Different Options and click Next.
In the Select Backup Configuration section, select the Full Server (recommended) option and click Next.
On the Specify Destination Type section, select Local Drives or Remote Shared Folder and click Next.
On the Select Backup Destination section, select the backup location of your choice. Select a local drive or network share depending on the destination chosen in the previous section.
Select Backup from the confirmation screen.
Click Close upon completion of the backup and close the Windows Server Backup window.
System State Backup
In this backup, only the components that are required to restore the AD are backed up. The system state consists of the following components.
- Active Directory Domain Controller
- System boot files such as ntldr, ntdetect.
- SysVol
- Registry
- COM+ class registration database
- Cluster database
- Certificate Server
Hence all the information contained in these components has to be restored in a system state backup.
While the system state backup can be performed in any order, restoration of the system files has to be performed in the following order
- Boot files
- Sysvol, Certificate Server, Cluster database and COM+ registration database
- Active Directory server
- Registry
Open Server Manager, select Tools-->Windows Server Backup.
Provide the Backup Operator credentials in the User Account Control dialog box and click Next.
Select Local Backup once from the Action menu.
After the Backup Once wizard is launched, go to the Backup Option section from the menu on the left.
Select Different Options and click Next.
In the Select Backup Configuration section, select the Custom option and click Next.
In the Select Items for Backup screen, select Add Items-->System State and click OK.
In the Specify Destination Type screen, select Local drives or Remote shared folder and click Next.
In the case of backing up to a remote folder, type the path to the shared folder.
In Access Control, choose either Do not inherit or Inherit and click Next.
Provide the user name and password in the Provide User Credentials for Backup dialog box and then click OK.
In the Select Backup Destination screen choose the required backup location. Select a local drive or network depending on the destination chosen in the previous section.
Select Backup from the confirmation screen.
Click Close upon completion of the backup and close Windows Server Backup.
Types of restoration in Active Directory
Recovery is the process in which data that has been lost is restored using certain methods. Restoration may be classified into two types namely authoritative and non-authoritative.
In authoritative restoration, the domain controller’s (DC) directory is returned to the state in which it was when the backup was done. All the other DCs are then overwritten to match the DC which was restored, which makes sure there are no changes since the backup was done. Hence, this type of restoration is usually done when a change in the directory has to be reversed. One of the major advantages of authoritative restoration is that, only particular objects within the directory can be made authoritative. For example, if an organizational unit was deleted by mistake, it can be made authoritative. As a result, the deleted organizational unit will be replicated to all the other DCs. The current versions of the organizational unit are overwritten by the versions the objects which were restored using information from the other DCs.
The non-authoritative restoration is the default restore mode for AD DS and generally used when the DC fails owing to hardware or software reasons. Here, the DC’s directory is restored from backup and receives information via replication from the other DCs. This information contains the directory changes that were made since the last backup.
Restoration process in AD can be divided into two main sections. They are
- Booting the server in the Directory Services Restore Mode (DSRM)
- Recovery of items
- Booting in DRSM can be done using the following steps.
- Reboot the server.
Once the boot menu is displayed, press F8 to get the advanced options.
From the options, select the Directory Services Restore Mode.
After selecting DRSM, press Enter to reboot the computer in a safe mode.
After rebooting the server in the DRSM mode, the recovery process can be performed using the following steps.
Open Server Manager and run Windows Server Backup.
Select the Recover option from the menu on the right and launch the Recovery wizard.
From the first screen, choose the Backup stored on another location option.
Select the disk and provide the path to the backup location.
Choose the backup data that needs to be restored.
Select the recovery type and the location for recovery.
Click OK and complete the process.
Once the recovery process is over, reboot the server in normal mode.
Best practices for backup and restoration
An organization can choose from any of the above backup and restoration methods and use a combination of them to suit their needs and requirements. However, the steps given below can be followed to ensure that the data is backed up and restored properly and to prevent any undesirable situations.
- Use multiple domain controllers to facilitate recovery without having to backup
- Backup AD on a daily basis
- Enable the AD Recycle Bin to restore deleted objects
- Maintain an offsite backup of AD
- Use restoration as the last resort for recovery