In this text we’ll speak about Active Directory area controller backup and find out how to configure automated AD backup utilizing PowerShell and built-in Windows Server instruments.
Do I Need to Back Up Active Directory?
Many occasions I’ve heard from my fellow directors that when you’ve got a number of (three, eight, and so forth.) area controllers which are distributed throughout completely different geographic location, you don’t want to again up your AD in any respect. Since with a number of DCs you’ve gotten offered area fault tolerance. It is the schema when the simultaneous failure of all DCs tends to zero, and if one of many area controllers fails, you may shortly deploy a brand new one on the identical website and take away the outdated one utilizing ntdsutil.
However, in my observe I’ve come throughout numerous situations when all area controllers turned out to be broken: in a single case all area controllers (though there have been greater than 20 of them in numerous cities) have been encrypted due to a website admin password seize by a ransomware utilizing (to stop these situations see “” and“”), in one other case a replication of a broken NTDS.DIT file resulted in a website failure.
So you may and will again up your AD. You should backup at the very least key area controllers and FSMO (Flexible single-master operations) function homeowners usually. You can get the utilizing this command:
netdom question fsmo
Get Last Active Directory Domain Controller Backup Date
You can verify when the present Active Directory area controller was backed up final time utilizing the repadmin software:
You can see that on this instance the final time the DC and AD partitions had been backed up was 2017-02-18 (it’s seemingly, the backup has not been achieved because the area controller was deployed).
You can get the backup standing for all DCs within the area utilizing this command:
repadmin /showbackup *
Backing Up AD Domain Controller Using Windows Server Backup
If you don’t have any particular backup software program, you should use the built-in Windows Server Backup (this element has changed the NTBackup software). You can configure an automated backup job within the Windows Server Backup GUI, however it has some restrictions. The essential drawback is new server backup will at all times overwrite a earlier one.
When you again up a website controller utilizing WSB, you create a System State backup. The System State contains the Active Directory database (NTDS.DIT), Group Policy Objects, SYSVOL listing contents, the registry, the IIS metadata, the AD CS database and different system information and assets. The backup is created by way of the Volume Shadow Copy Service (VSS).
You can verify if Windows Server Backup is put in utilizing the PowerShell cmdlet:
If WSB just isn’t put in, you may add it with PowerShell:
Add-Windowsfeature Windows-Server-Backup –Includeallsubfeature
Or set up Windows Server Backup by way of Server Manager -> Features.
I’ll save the backup of this AD area controller to a shared community folder on a devoted backup server. For instance, a path to the backup listing could appear like this:
mun-back1backupdc01. Configure the NTFS permissions for this folder: grant Read and Write entry permissions to Domain Admins and Domain Controllers teams solely.
Active Directory Backup with PowerShell
Let’s strive to again up a website controller utilizing PowerShell. To hold a number of ranges of AD backup copies, we are going to retailer every backup copy in a separate listing with the date of backup creation because the folder identify.
[string]$date = get-date -f 'yyyy-MM-dd'
$TestTargetUNC= Test-Path -Path $TargetUNC
$WBadmin_cmd = "wbadmin.exe START BACKUP -backupTarget:$TargetUNC -systemState -noverify -vssCopy -quiet"
Run the PowerShell script. The wbadmin console will seem. It accommodates details about the method of disk backup (shadow copy) creation:
The backup operation to mun-back1backupdc12020-06-01 is beginning. Creating a shadow copy of the volumes specified for backup...
Detailed error: The filename, listing identify, or quantity label syntax is inaccurate. The backup of the system state failed [01.06.2020 8:31].
I opened the WSB error log — C:WindowsLogsWindowsServerBackupBackup_Error-01-06-2020_09-23-14.log.
There was the next error within the file:
Error in backup of C:windowssystemroot throughout enumerate: Error [0x8007007b] The filename, listing identify, or quantity label syntax is inaccurate.
Looking forward, I’ll inform that the issue was within the incorrect path of a VMWware Tools driver.
To repair the error, begin the elevate command immediate and run this command:
DiskShadow /L writers.txt
record writers detailed
After getting the record, kind stop and open C:WindowsSystem32writers.txt. Find the string containing “home windows” in it.
In my case the string I had discovered seemed like this:
File List: Path = c:windowssystemrootsystem32drivers, Filespec = vsock.sys
As you may see, a mistaken path to the VSOCK.SYS driver is used.
To right the trail, open the Registry Editor and go to reg key HKLMSYSTEMCurrentControlSetServicesvsock.
Change the PicturePath worth from
Run the backup script once more.
If the backup has been profitable, you will notice the next messages within the log:
The backup operation efficiently accomplished. The backup of quantity (C:) accomplished efficiently. The backup of the system state efficiently accomplished [01.06.2020 09:52].
Check the time of the final DC backup:
Now it says that the final area controller backup was carried out at this time.
The dimension of the listing with the area controller backup on the server is about 9GB. In reality, we have now bought a VHDX file you should use to restore the OS from WSB, or you may manually mount the VHDX file and replica the information or folders you want from it.
$WBadmin_cmd = "wbadmin begin backup -backuptarget:$path -include:C:WindowsNTDSntds.dit -quiet"
The dimension of such a backup will probably be solely 50-500MB relying on the AD database dimension.
For automated AD backup, create the C:PSBackup_AD_DC.ps1 script in your DC. Run it in accordance to the schedule utilizing Task Scheduler. You can create a Scheduler job from the GUI or . The essential requirement is that the duty have to be run below the
NT AUTHORITYSYSTEMaccount with the Run with highest privileges possibility checked. For a day by day AD area controller backup, create the next job:
$Trigger= New-ScheduledTaskTrigger -At 02:00am -Daily
$User= "NT AUTHORITYSYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:PSBackup_AD_DC.ps1"
Register-ScheduledTask -TaskTitle "BackupAD-DC-daily" -Trigger $Trigger -User $User -Action $Action -RunDegree Highest –Force
So, we have now configured an AD backup, and we are going to discuss methods to restore AD from a website controller backup system state backup in our subsequent article.