Backup Active Directory on Windows Server 2016 - WindowsTips.net - Windows Tips and Tricks with Geek

Thursday, June 24, 2021

Backup Active Directory on Windows Server 2016

In this article, we will take a look on how to backup an Active Directory domain controller running on Windows Server 2016. This backup will allow you to restore both individual AD objects and the entire AD domain in case of problems.

Although Active Directory services are designed with high redundancy (if you deployed several DCs in your company), an AD administrator needs to develop and implement a clear Active Directory backup policy. At least, you need to back up a DCs with FSMO roles and one DC per site. The specific recommendations for the backup strategy are highly dependent on your domain architecture and network structure.

Windows Server 2016 has a built-in Windows Server Backup component that allows you to backup Active Directory.

Using Windows Server Backup to Backup Active Directory

Open the Server Manager on your DC running Windows Server 2016 and select Add Roles and Features. Then click Next several times and set the Windows Server Backup checkbox on the Select features step.

backup active directory

Also, you can install the WSB feature on Windows Server using the PowerShell command:

Install-WindowsFeature -Name Windows-Server-Backup -IncludeAllSubfeature –IncludeManagementTools

Wait for the installation of Windows Server Backup to complete and click Close.

ad backup

Now in the Server Manager select Tools > Windows Server Backup.

active directory backup and restore in windows server 2016

Right click Local Backup item in the left pane and select Backup Schedule.

backup active directory 2016

On the Select Backup Configuration step select Custom.

backup active directory powershell

On the Select Items for Backup stage press Add Item and select the System State. This is enough to restore an Active Directory domain controller in failure cases.

The System State includes:

  • Active Directory database;
  • The Sysvol folder (with GPO objects);
  • Integrated DNS zones and records;
  • Certificate Authority service database;
  • System boot files;
  • System registry;
  • Component Services database.

As a result, you can restore ADDS services on the same server (OS recovery from system state backup on another server is not supported). If you plan to restore the domain controller on another server, you need to select the Bare metal recovery option.

windows server backup active directory

Set a backup schedule. For example, I want to back up AD daily at 12:00 AM.

windows backup active directory

You can backup your DC to a dedicated backup volume, or a shared network folder. I am using a dedicated volume, select it as a backup Destination Target.

windows ad backup

Press Finish to create a backup task.

windows server 2016 backup active directory

You can find the created backup task in the Task Scheduler. Browse to the Task Sheduler Library > Microsoft > Windows > Backup and find a task named Microsoft-Windows-WindowsBackup. This task is run NT AuthoritySYSTEM account. If you want to create a DC backup immediately, open the task properties, go to the tab Setting and check the box “Allow task to be run on demand”. Save the changes by pressing OK. Then right click on task and select Run (or wait for the scheduled task to start).

backup ad server

After the backup process is completed, a directory with the name WindowsImageBackup appears on drive E:. Pay attention to the structure of the WindowsImageBackup directory. It contains a directory with the name of the domain controller, which contains the folder named by the backup copy creation time (for example, E:\WindowsImageBackup\dc01\Backup 2020-01-17 180557).

You can find a vhdx file inside this directory. This is a virtual hard disk image file with the backup Windows image of your domain controller. You can manually connect it through Disk Manager and access backup files.

active directory backup and recovery

How to Backup AD using Wbadmin and PowerShell?

You can also backup DCs using the wbadmin console utility. For example, to backup the system state of the running Windows Server and save it to a separate disk, run the command:

wbadmin start systemstatebackup -backuptarget:e: -quiet

This example overwrites the contents of the WindowsImageBackup directory on the target drive.

The list of available backup copies on the disk can be displayed as follows:

wbadmin get versions

backing up ad

To delete all old backup copies except the last, run the command:

wbadmin delete backup -keepVersions:1

You can also use the WindowsServerBackup module to backup Active Directory on a domain controller with PowerShell. The following PowerShell script will backup server’s System State to the specified drive:

$WBpolicy = New-WBPolicy

Add-WBSystemState -Policy $WBpolicy

$WBtarget = New-WBBackupTarget -VolumePath "E:"
Add-WBBackupTarget -Policy $policy -Target $WBtarget

Start-WBBackup -Policy $WBpolicy

To restore AD in the event of a disaster, you will need SystemState Backup in the root of the local DC drive. When restoring AD, you need to boot the server with the ADDS role in the Directory Services Restore Mode (DSRM).


No comments:

Post a Comment