Active Directory Backup Best Practices

Active Directory is a widely-known service for centralized management and user authentication in Windows-based environments. Administrators can manage computers added to the domain centrally, which is convenient and time saving for large and distributed infrastructure. MS SQL and MS Exchange usually require Active Directory. If the Active Directory Domain Controller (AD DC) becomes unavailable, then related users cannot log in and systems cannot function properly, which can cause troubles in your environment. That’s why backing up your Active Directory is important. Today’s blog post explains Active Directory backup best practices including effective methods and tools.

NAKIVO Backup & Replication is an all-in-one backup and site recovery solution that helps you protect your data and follow Active Directory backup best practices. With the help of Windows Server Backup, you can perform seamless backup of your Active Directory data, ensuring that your application data remains transactionally consistent under any circumstances.

Active Directory Working Principle

Active Directory is a management system that consists of a database where the individual objects and transaction logs are stored. The database is divided into several sections that contain different types of information – a schema partition (which determines the AD database design including object classes and their attributes), configuration partition (information about AD structure) and domain names context (users, groups, printer objects). The Active Directory database has a hierarchical tree-like structure. The Ntds.dit file is used to store the AD database.

Active Directory uses LDAP and Kerberos protocols for its function over the network. LDAP (Lightweight Directory Access Protocol) is an open cross-platform protocol used for accessing directories (such as Active Directory) which also has access to directory services authentication by using user name and password. Kerberos is a secure authentication and single sign-on protocol that uses secret key cryptography. Usernames and passwords checked by Kerberos authentication server are stored in the LDAP directory (in case of using Active Directory).

Active Directory is tightly integrated with the DNS Server, Windows protected system files, System Registry of a domain controller, as well as the Sysvol directory, COM+ Class Registration Database, and cluster service information. Such integration has direct influence on the Active Directory backup strategy.

What Data Must Be Backed Up?

According to the previous section, you need to make a copy of not only Ntds.dit, but all components integrated with Active Directory. The list of all components which are integral parts of the Domain Controller system is as follows:

  • Active Directory Domain Services
  • Domain Controller System Registry
  • Sysvol directory
  • COM+ class registration database
  • DNS zone information integrated with Active Directory
  • System files and boot files
  • Cluster service information
  • Certificate services database (if your Domain Controller is a certificate service server)
  • IIS meta folders (if Microsoft Internet Information Services are installed on your Domain Controller)

General AD Backup Recommendations

Let’s take a look at some general recommendations for Active Directory backup.

At least one domain controller in a domain must be backed up

It is obvious that if you have just one domain controller in your infrastructure, you should back up this DC. If you have more than one domain controller, you should back up at least one of them. You should back up the domain controller that has FSMO (Flexible Single Master Operation) roles installed. If you have lost all domain controllers, you can recover a primary domain controller (containing FSMO roles), and deploy a new secondary domain controller, replicating changes from the primary DC to the secondary DC.

Include your Active Directory backup within your disaster recovery plan

Compose your disaster recovery (DR) plan with multiple scenarios for recovering your infrastructure as you prepare for hypothetical disasters. The best practice is to create a thorough DR plan before disaster occurs. Pay close attention to the recovery sequence. Keep in mind that a domain controller must be recovered before you can recover other machines with services related to the Active Directory as they may become useless without the AD DC. Creating a workable disaster recovery plan that takes into account dependencies of different services running on different machines guarantees you a successful recovery. You can back up your domain controller to a local site, remote site, or cloud. Among the best practices of Active Directory backup is to have more than one copy of your domain controller according to the 3-2-1 backup rule.

Back up Active Directory on a regular basis

You should back up your Active Directory regularly with an interval that doesn’t exceed 60 days. AD services presume that the age of the Active Directory backup cannot be more than the lifetime of AD tombstone objects, which by default is 60 days. This is because the Active Directory uses the tombstone objects when objects need to be deleted. When an AD object is deleted (the majority of said object’s attributes are deleted), it is marked as the tombstone object and is not deleted physically until the tombstone lifetime period expires. If there are multiple domain controllers in your infrastructure and the Active Directory replication is enabled, the tombstone object is copied to each domain controller until the tombstone lifespan expires. If you restore one of your domain controllers from a backup whose age is more than the tombstone’s lifespan, you will encounter inconsistent information between Active Directory domain controllers. The recovered domain controller would have the information about objects that don’t exist anymore in this case. This can cause errors accordingly.

If you installed any drivers or applications on your domain controller after making a backup, they will not be functional after recovering from said backup as the system state (including registry) will be recovered to a previous state. This is just one more reason to back up Active Directory more frequently than once per 60 days. We strongly recommend that you back up the Active Directory Domain Controller every night.

Use software that ensures data consistency

As with any other database, the Active Directory database must be backed up in a way that ensures database consistency is preserved. The consistency can best be preserved if you back up the AD DC data when the server is powered off or when Microsoft Volume Shadow Copy Service (VSS) is used on a running machine. Backing up the Active Directory server in a powered-off state may not be a good idea if the server is operating in 24/7 mode. Active Directory backup best practices recommend that you use VSS-compatible backup applications to back up a server running Active Directory. VSS writers create a snapshot which freezes the system state until the backup is complete to prevent modifying active files used by Active Directory during a backup process.

Use backup solutions that provide granular recovery

When it comes to recovering an Active Directory, you may recover the entire server with Active Directory and all its objects. Running a full recovery may consume a significant amount of time, especially if your AD database is of considerable size. If some Active Directory objects accidentally get deleted, you may want to recover only those objects and nothing else. Active Directory backup best practices recommend that you use backup methods and applications that can perform granular recovery, i.e. just recover particular Active Directory objects from a backup. This allows you to limit the amount of time spent on recovery.

Native Active Directory Backup Methods

Microsoft has developed a series of native tools for backing up Windows Servers including servers running Active Directory domain controllers.

Windows Server Backup

Windows Server Backup is a utility provided by Microsoft with Windows Server 2008 and later Windows Server versions that replaced the NTBackup utility which was built into the Windows Server 2003. To access it, you just need to enable Windows Server Backup in the Add Roles and Features menu. Windows Server Backup features a new GUI (graphical user interface) and lets you create incremental backups by using VSS. The backed up data is saved into a VHD file – the same file format used for Microsoft Hyper-V. You can mount such VHD disks to a virtual machine or to a physical machine and access the backed up data. Notice how, unlike the VHD created by MVMC (Microsoft Virtual Machine Converter), the VHD image is not bootable in this case. You can back up the entire volume or the system state only by using the wbadmin start systemstatebackup command. For example:

wbadmin start systemstatebackup –backuptarget:E:

You should select a backup target that differs from the volume from which you are backing up the data, and one that is not a remote shared folder.

When it’s time to recover, you should boot the domain controller into Directory Services Restore Mode (DSRM) by pressing F8 to open advanced boot options (like as you would do when entering a Safe Mode). Then you should use the wbadmin get versions -backupTarget:path_to_backup machine:name_of_server command to select the appropriate backup, and begin restoring the needed data. You can also use NTDSutil to manage particular Active Directory objects in the command line during recovery.

The advantages of using Windows Server backup for Active Directory backup are affordability, VSS-capability, and the ability to back up the whole system or Active Directory components only.

Disadvantages include the need to possess the appropriate skills and knowledge base to configure a backup and recovery process.

System Center Data Protection Manager

Microsoft recommends that you use the System Center Data Protection Manager (SC DPM) for backing up data including the Active Directory in Windows-based infrastructure. SC DPM is a centralized enterprise-grade backup and recovery solution that is a part of the System Center Suite and can be used to protect the Windows Server which includes services such as Active Directory. Unlike the free built-in Windows Server Backup, SC DPM is paid software that must be deployed separately as a complex solution. Installation may seem somewhat challenging when compared with Windows Server Backup. Indeed, a backup agent must be installed to ensure your machine is fully protected.

The main features of the System Center Data Protection Manager related to Active Directory backup are:

  • VSS support
  • Incremental backup
  • Backup to Microsoft Azure cloud
  • No granular object recovery for Active Directory

Using SC DPM is most practical when you need to protect a high number of Windows machines including MS Exchange and MS SWL servers.

Backing Up the Virtual Domain Controller

The listed native Active Directory backup methods can be used for backing up Active Directory servers deployed on both physical servers and virtual machines. Running domain controllers on virtual machines offers a set of advantages specifically for VMs such as host level backup, the ability to be recovered as VMs running on different physical servers, etc. Active Directory backup best practices recommend you to use host-level backup solutions when making backups of your Active Directory domain controllers running on virtual machines at a hypervisor level.


The Active Directory is classified as one of the most business critical applications whose disruption can cause downtime of users and services. Today’s blog post explained Active Directory backup best practices to help you protect your infrastructure against AD failure. Selecting the right backup solution is the important takeaway point in this case.

NAKIVO Backup & Replication is a host-level backup software for VMware and Hyper-V VMs running Active Directory Domain Controller. This solution allows you to back up entire domain controller VMs, even if the VM is in a running state while respecting the application awareness (VSS is used) as well as providing instant AD objects recovery. No agents are needed. NAKIVO Backup & Replication supports granular Active Directory recovery, as a result of which you can recover particular AD objects and containers without spending the time required to do a full VM recovery. Of course, full recovery of the domain controller VM is also supported.

Backup for Windows Server

People also read