Backup Active Directory

To maintain an Active Directory database you will need to run regular backups of Active Directory. You can backup Active Directory by using the NTBackup utility or by using the command line tools that are included in the Windows Server support tools. The main component that you need to backup on your domain controller is the system state. It’s essential to keep Active Directory backed up for disaster recovery purposes or if the database gets corrupt and needs restored. To ensure you get a good backup of Active Directory, you need to be aware of the tombstone lifetime period. Tombstone is a container object that contains the deleted objects from Active Directory. By default, the tombstone is 60 days. Backups that are older than 60 days will not be a valid backup. It’s recommended to backup at least two domain controllers in each domain.

The following provides information on backing up and restoring Active Directory and related components.

System State Data:
Backing up Active Directory is done by backing up the system state data. The system state is a collection of system components that depend on each other. When performing a restore of Active Directory you will need to include all of the system state components. Components that make up the system state on a domain controller include:

• Active Directory (NTDS) Includes the following files:
  • Ntds.dit: The Active Directory database.
  • Edb.chk: The checkpoint file.
  • Edb*.log: The transaction logs, each 10 megabytes (MB) in size.
  • Res1.log and Res2.log: Reserved transaction logs.

• System Start-up Files (boot files).
• System registry.
• Class registration database of Component Services. The Component Object Model (COM) is a binary standard for writing component software in a distributed systems environment.
• SYSVOL. The system volume folder is used to replicate file based data among domain controllers. The SYSVOL folder on a domain controller contains:
  • NETLOGON shared folders. This folder usually holds user login scripts and Group Policy Objects (GPOs).
  • User logon script
  • Group Policy Objects (GPOs)
  • File system junctions.
  • File Replication service (FRS) these are files are required and will be synchronized on all domain controllers.

Choosing the right Domain Controllers to backup
You want to at least back up two domain controllers in each domain, one of which should be an operations master role holder. You cannot take a backup of one domain controller and restore it to another. The backup data from a domain controller can only be used to store that domain controller.




Active Directory Recovery
You can restore Active Directory through a clean installation process. This method does not require a backup to restore Active Directory. This method will only work if there is a healthy Domain Controller in the same domain. Once the re-insallation of Active Directory is complete, Active Directory replication will restore the Domain Controller to a working state.
This option is normally used on computers that function only as a domain controller.

Use the following procedures to recover a domain controller.

1.    Remove Active Directory Domain Controller Metadata
2.    Reinstall Windows Server Operating System
3.    Install Active Directory. Once Active Directory setup is complete in the existing domain, replication will occur and update its database with current data.

Authoritative restore
An authoritative restore is most commonly used when a change has been made that needs to be reversed. For example, a security group was deleted by accident. The restore process will replicate the deleted security group back to all Domain Controllers in the domain. When you do an authoritative restore, all changes that where done after the backup will be lost. An Authoritative restore is done by using the NTDSUTIL command line. The utility works by marking objects in Active Directory so that they receive a higher version then the other domain controllers. The higher version on the objects prevents other domain controllers from overwriting it during replication.

Non Authoritative Restore
A non Authoritative Restore, restores Active Directory to the state before the backup. Data is then updated through the normal replication process. This restore method is most commonly used when a Domain Controller has a hardware or software issue. This is also the default directory restore method.

Backing up Group Policy
Group Policy Objects can help maintain enterprise security, keep systems up-to date, standardize client configuration and apply numerous configuration parameters. After you create a Group Policy Object (GPO), you should back it up in case it needs to be restored.

By using the Group Policy Management Console you can create backups of Group Policy Objects.

Open the Group Policy Management Console.

1. In the console tree, double click Group Policy Objects
2. You can backup all Group Policy Objects by right clicking and choose Backup All. If you want to backup a single GPO select and right click and choose backup on the single GPO you want to backup.
3. Next you will need to enter a location box, you will select the path to the location you want store the backups.
4. You can then enter a description for the backup
5. Once all steps are complete click ok.