How To Backup Domain Controller

Operational Considerations For Virtualized Domain Controllers

Domain controllers that are running on virtual machines have operational restrictions that do not apply to domain controllers that are running on physical machines. When you use a virtualized domain controller, there are some virtualization software features and practices that you should not use:

All these recommendations are made to help avoid the possibility of an update sequence number rollback. For more information about USN rollback, see USN and USN Rollback.

How To Backup Domain Controllers

For this section, we will use NAKIVO Backup & Replication v7.1 and use Integration with Active Directory and the Hypervisor is vSphere ESXi v6.0.5572656.

Note: To use the VM-Generation-ID in VMware you need to run your Virtual Domain Controller in version vCenter v5.0, and ESXi v5.0 or newer and Virtual Hardware need to be v8 or later. Check VMware KB HERE.

First, we will create a backup job for the DCs.

Just create a normal Backup Job.

Just choose your Domain Controllers to backup.

Select the Backup Repository.

Next options are the options that are very important when we Backup our Virtual Domain Controllers.

• Option 1Enable the App-aware feature in the backup job.Note: For this option work properly, latest VMware Tools should be installed in the VM Guest OS.
• Option 2Enable Screenshot verification. Even this option is not mandatory you should verify if your Backup is 100% reliable. After a VM backup is completed, NAKIVO Backup & Replication recover the VM with Flash VM Boot, disables networking on the VM to prevent network connections, makes a screenshot of the booted OS, discards the recovered VM, and sends a report with the screenshot via email.
• Option 3Set the transporters to manual for all VMs.
• Option 4Disable Automatically select the replacement for unavailable transporter. We need to disable this so that we only use the transporter that we set for only run one concurrent task at a time.
• Option 5Select the transporter that you set only to run one concurrent at time .

Backup Active Directory With Third

Setting up automated backups for AD is just one of the tasks you will need to perform in order to get your access rights management solution running well through Active Directory. If you use different implementations of AD, you will need to log into several consoles to set this backup system up and check on its status. It is a lot simpler to use a frontend for all of your AD implementations that will manage all domain controllers by replicating the objects and settings that you have managed through that single console.

Don’t Miss: How To Transfer Domain From One Host To Another

Restoring The System State Backup Of A Virtual Domain Controller

If a valid system state backup exists for the domain controller virtual machine, you can safely restore the backup by following the restore procedure prescribed by the backup tool that you used to back up the VHD file.

Important

To properly restore the domain controller, you must start it in DSRM. You must not allow the domain controller to start in normal mode. If you miss the opportunity to enter DSRM during system startup, turn off the domain controller’s virtual machine before it can fully start in normal mode. It is important to start the domain controller in DSRM because starting a domain controller in normal mode increments its USNs, even if the domain controller is disconnected from the network. For more information about USN rollback, see USN and USN Rollback.

I Can Rebuild The Domain With One Restore So Should I Only Backup One Domain Controller

You should back up several domain controllers, the more the better. Even though you only need to restore one, you cannot predict the circumstances that will require a restore or if any given backup will be successful and remain uncorrupted until needed. The more backups you have, the more likely you are to have the backup that you want. It is always better to have too many backups than not enough.

Recommended Reading: Do I Need To Include Llc In My Domain Name

Virtualization Deployment Practices To Avoid

Virtualization platforms, such as Hyper-V, offer a number of convenience features that make managing, maintaining, backing up, and migrating computers easier. However, the following common deployment practices and features should not be used for virtual domain controllers:

How To Backup Active Directory

I prefer to use the full backup option instead of the system state backup. This option allows you to easily restore if the operating system or Active Directory becomes corrupt.

It includes the system state so you can choose to restore the entire server or just the system state.

The steps for backing up just the system state are the same you will just choose custom instead of full server.

Here are the settings that will be configured for this backup:

• 1 full backup then 14 incremental backups Windows server backup automatically handles the full and incremental backups no additional configuration is needed.
• The backup destination will be a volume mounted as a local disk. Im using a SAN with replication to another datacenter for disaster recovery.
• My domain controllers are virtual running in a VMWare environment.
• The domain controller is Windows Server 2016

Recommended Reading: How Can I Get My Own Domain Email

I Only Have One Domain Controller How Does This Affect Me

If you only have one domain controller, then theres not as much to worry about. It could crash without a commit and lose some data, but that is a potential problem regardless of how many domain controllers you have. Since a lone domain controller doesnt participate in replication, a USN rollback state will not corrupt the directory or force you to into needing to demote/promote any domain controllers. It just means that later changes are lost. USN rollbacks are very rare in practice, especially if administrators are sufficiently educated on the subject, so the benefit of never having a USN rollback is completely eclipsed by the benefits of having multiple domain controllers. Only the smallest domains should ever operate with only one domain controller.

What You Should Know

Read through this section first before attempting an Active Directory backup and restoration.

• There are two types of restoration, namely an authoritative restore and a non-authoritative restore. Understand the difference before choosing the one that best fits your situation.
• Have multiple domain controllers to provide a full recovery without a backup when one of your domain controllers fail. That said, do a regular backup, so you can restore when all your controllers fail due to a virus attack, database corruption, or other reasons.
• Backup at least two domain controllers, if you cant do a complete backup.
• Enable the Active Directory Recycle Bin so that you can restore deleted objects quickly.
• Create a document that includes your backup policy, frequency, disaster recovery plan, and more.
• Backup your active directory at least once daily and twice or more if it is large.
• Understand that not all domain controllers are the same, so have a backup strategy accordingly.
• Keep an offsite backup of your AD. Also, follow the 3-2-1 rule where you keep two backups on different media locally and one offsite.
• Know what FSMO is and the process of transfer/seize.
• At the minimum, back up the system state that includes your DNS server, Windows system files, COM+ class registration database, and more.

Now that you have the groundwork ready, lets see how to back up the Active Directory.

Recommended Reading: How To Link Website To Domain Name

Keep At Least One Of The Domain Controllers Backed Up

This advice is mostly for larger companies that have more than one domain controller in their infrastructure. You should back up at least one of your domain controllers if you have several of them to ensure at least partial data recovery in the case of some sort of hardware or software failure. Also if you have FSMO roles installed on one of your controllers you should prioritize backing it up first. That way, if you lose all of your controllers, you can recover one of them the one with FSMO that will be considered primary, and after that, if you deploy another controller youll be able to, essentially, copy all of the changes from the primary domain controller to secondary one.

Understanding The Backup Environment

The environment for our backup is as follows:

In this demonstration, we have two Domain Controllers , one is called WD2K19-DC01 and the other WD2K19-DC02.

To see the DCs, you can go to theActive Directory Users and Computers snap-in console on the Windows Server.

Don’t Miss: What Is The Average Cost Of A Domain Name

Configure The Volume Shadow Copy Service

It is important to ensure that the AD database is backed up in a way that preserves database consistency. One way to preserve consistency is to back up the AD database when the server is in a powered-off state. However, backing up the Active Directory server in a powered-off state may not be a good idea if the server is operating in 24/7 mode.

For this reason, Microsoft recommends the use of Volume Shadow Copy Service to back up a server running Active Directory. VSS is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. VSS writers create a snapshot that freezes the System State until the backup is complete to prevent modifying active files used by Active Directory during a backup process. In this way, it is possible to back up a running server without affecting its performance. For this guide, we are going to show you how to change the Shadow Copy size limit configuration on the volume where we are going to store the AD database.

1. Press a combination of Win+X on your keyboard to open the Disk Manager. Select the partition where the server is installed, then right-click on it and click on Properties.

2. Go to the Shadow Copies tab and then click on Enable as shown on the image below.

3. In the next window, click Yes to confirm that you want to enable shadow copies as shown below.

Restoring Dc From Backup

Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature IncludeManagementTools

You May Like: How To Use Godaddy Domain On WordPress

Install Windows Server Backup

To create an Active Directory backup the Windows server backup utility needs to be installed. This utility gets a bad wrap, mostly because it is used incorrectly. It is not a solution for backing up your entire enterprise but works great for specific use cases like backing up Active Directory.

Ive been using it for years to backup Active Directory and it works great. There are a few things to be aware of when using this utility and Ill point those out throughout this guide.

How To Back Up A Physical Domain Controller

Frankly speaking, I hope that youve been updating AD services in your company and that your Domain Controllers have been virtualized for a long time. If not, I hope that youve at least been updating your Domain Controllers, and that theyre running relatively modern Windows Server OS versions, Windows Server 2008 R2 or newer.

So, you have a physical Domain Controller or a set of them running at Windows Server 2008 R2 or newer, and you want to protect your AD? Meet Veeam Endpoint Backup, the utility aimed to ensure that data on your remaining physical endpoints and servers is safe and secure. Veeam Endpoint Backup catches the desired data of the physical machine and stores it in a backup file. Then, in case of a disaster, you are able to do a bare-metal or volume-level restore while having full control of recovery procedures. Plus, item-level recovery with Veeam Explorer for Microsoft Active Directory.

In order to back up your physical Domain Controller with this tool you should:

• Download Veeam Endpoint Backup FREE from this page and copy it to your DC
• Launch the installation wizard, accept the license agreement and install the programNote: read these instructions for installing in Unattended Mode.

Figure 3. Selecting objects to backup in Veeam Endpoint BackupFigure 4. Setting Endpoint Backup Permission for backup repository

• Run the backup, and make sure its done with no errors

Figure 5. Veeam Endpoint Backup FREE: Backup job statisticsBackups > Disk node

Read Also: How To Purchase Expired Domain

Backup And Restore Considerations For Virtualized Domain Controllers

Backing up domain controllers is a critical requirement for any environment. Backups protect against data loss in the event of domain controller failure or administrative error. If such an event occurs, it is necessary to roll back the system state of the domain controller to a point in time before the failure or error. The supported method of restoring a domain controller to a healthy state is to use an Active Directoryâcompatible backup application, such as Windows Server Backup, to restore a system state backup that originated from the current installation of the domain controller. For more information about using Windows Server Backup with Active Directory Domain Services , see the AD DS Backup and Recovery Step-by-Step Guide.

With virtual machine technology, certain requirements of Active Directory restore operations take on added significance. For example, if you restore a domain controller by using a copy of the virtual hard disk file, you bypass the critical step of updating the database version of a domain controller after it has been restored. Replication will proceed with inappropriate tracking numbers, resulting in an inconsistent database among domain controller replicas. In most cases, this problem goes undetected by the replication system and no errors are reported, despite inconsistencies between domain controllers.

There is one supported way to perform backup and restore of a virtualized domain controller:

Note

How To Restore Domain Controllers

Before we restore the broken Domain Controller, some Domain Controllers restore Best Practices.

• If you are restoring a broken DC in a multi DCs environment, then you can do a normal restore and follow then next restore process.
• If you are restoring all DCs in your Domain, then you should first restore the one with all RMSO roles .
• If you are restoring the DC that had the FMSO roles and you want to keep that way, then you need to do follow Microsoft How to recover authoritative restore .

Now let us create a Restore Job to restore the Domain Controller that is broken.

Just click Recover and select VMs from Backup.

Select the VM that you need to restore and choose the restore point

Select the ESXi host and the Datastore were to restore the DC.

Next we dont need to change must in the default options. For this case, I will not Power ON after the restore and will leave the VM name as is. But this is not mandatory for this type of restore.

Next Finish the Restore Job, or Finish & Run to start the Job after we finish.

As we can see, the restore finish with success without any issues.

Now let us power on our restored Virtual Domain Controller and hope that synchronize with the DC-01.

When the restored Domain Controller is power on, we will see some error in the events. Particularly in the Directory Service.

These are some of the event issues that we will see:

Information about the VM-Generation ID from this DC.

Then some errors not matching VM-Generation ID.

Recommended Reading: What Is A Personal Domain

Get Last Active Directory Domain Controller Backup Date

You can check when the current Active Directory domain controller was backed up last time using the repadmin tool:

repadmin /showbackup

You can see that in this example the last time the DC and AD partitions had been backed up was 2017-02-18 .

You can get the backup status for all DCs in the domain using this command:

repadmin /showbackup *

Backup And Restore Practices To Avoid

As mentioned, domain controllers that are running in virtual machines have restrictions that do not apply to domain controllers that are running in physical machines. When you back up or restore a virtual domain controller, there are certain virtualization software features and practices that you should not use:

• Do not copy or clone VHD files of domain controllers instead of performing regular backups. If he VHD file is copied or cloned, it becomes stale. Then, if the VHD is started in normal mode, you will encounter a USN Rollback. You should perform proper backup operations that are supported by Active Directory Domain Services , such as using the Windows Server Backup feature.
• Do not use the Snapshot feature as a backup to restore a virtual machine that was configured as a domain controller. Problems will occur with replication when you revert the virtual machine to an earlier state with Windows Server 2008 R2 and older. For more information, see USN and USN Rollback. Although using a snapshot to restore a read-only domain controller will not cause replication issues, this method of restoration is still not recommended.

Also Check: How Much Does Squarespace Domain Cost