We’ll look at how to backup an Active Directory domain controller operating on Windows Server 2016 in this article. In the event of an issue, this backup will allow you to recover both individual AD objects and the complete AD domain.
Despite the fact that Active Directory services are supposed to be highly redundant (assuming your firm has multiple DCs), an AD administrator must define and implement a clear Active Directory backup policy. At the very least, you’ll need FSMO roles and one DC per site to back up your DCs. The backup strategy recommendations are mainly reliant on your domain design and network structure.
The built-in Windows Server Backup component in Windows Server 2016 allows you to backup Active Directory.
Using Windows Server Backup to Backup Active Directory
Select Add Roles and Features in the Server Manager on your Windows Server 2016 DC. Then, on the Select features stage, check the Windows Server Backup checkbox numerous times.
Also, you can install the WSB feature on Windows Server using the PowerShell command:
Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature –IncludeManagementToolsWait for the installation of Windows Server Backup to complete and click Close.
Now in the Server Manager select Tools > Windows Server Backup.
Right click Local Backup item in the left pane and select Backup Schedule.
On the Select Backup Configuration step select Custom.
Press Add Item and pick System State on the Select Items for Backup stage. In the event of a failure, this is sufficient to restore an Active Directory domain controller.
The following items are included in the System State:
- Active Directory database;
- The Sysvol folder (with GPO objects);
- Integrated DNS zones and records;
- Certificate Authority service database;
- System boot files;
- System registry;
- Component Services database.
As a result, ADDS services can be restored on the same server (OS recovery from system state backup on another server is not supported). You must choose the Bare metal recovery option if you want to restore the domain controller to another server.
Set a backup schedule. For example, I want to back up AD daily at 12:00 AM.
A dedicated backup drive or a shared network folder can be used to back up your DC. I’m backing up to a dedicated volume, so I’ve chosen it as the backup Destination Target.
Press Finish to create a backup task.
The created backup task can be found in the Task Scheduler. Find a task entitled Microsoft-Windows-WindowsBackup in the Task Sheduler Library > Microsoft > Windows > Backup. The NT AuthoritySYSTEM account is used to complete this activity. Open the task properties, navigate to the tab Setting, and check the option “Allow task to be run on demand” if you want to create a DC backup right away. By selecting OK, you can save your modifications. Then pick Run from the context menu by right-clicking on the job (or wait for the scheduled task to start).
On drive E:, a directory named WindowsImageBackup appears when the backup process is completed. Pay care to the WindowsImageBackup directory’s structure. It contains a directory named after the domain controller, which contains the backup copy creation time folder (for example, E:\WindowsImageBackup\dc01\Backup 2020-01-17 180557).
A vhdx file can be found in this directory. This is a virtual hard drive image file containing your domain controller’s backup Windows image. You can access backup files by manually connecting it to Disk Manager.
How to Backup AD using Wbadmin and PowerShell?
You can also backup DCs using the wbadmin console utility. For example, to backup the system state of the running Windows Server and save it to a separate disk, run the command:
wbadmin start systemstatebackup -backuptarget:e: -quietThis example overwrites the contents of the WindowsImageBackup directory on the target drive.
The list of available backup copies on the disk can be displayed as follows:
wbadmin get versions
To delete all old backup copies except the last, run the command:
wbadmin delete backup -keepVersions:1You can also use the WindowsServerBackup module to backup Active Directory on a domain controller with PowerShell. The following PowerShell script will backup server’s System State to the specified drive:
$WBpolicy = New-WBPolicy
Add-WBSystemState -Policy $WBpolicy
$WBtarget = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $WBtarget
Start-WBBackup -Policy $WBpolicyYou’ll need SystemState Backup on the root of the local DC disc to restore AD in the event of a disaster. When recovering AD, you must boot the server in Directory Services Restore Mode with the ADDS role (DSRM).
