How do I ensure a good backup of an Active Directory domain controller?
Important: Backing up a domain controller is a relatively straight forward process. However, restoring a domain controller in a multi-domain controller environment is not. This is because you don't only have to contend with correctly restoring the domain controller data, but you also have to correctly ensure that the newly restored DC correctly interacts with the existing live domain controllers and begins to replicate correctly.
It may be easier in a multi-DC environment to just build a new DC as outlined under Additional Information.
1) Enable VSS Support - this ensures completion of all transactions before the backup process starts
2) Using Kaseya Pre/Post Procedures (an example of these is found inhttp://dl.kaseya.com/download/support/budr/scripts/PrePostScripts.zip), stop the ntfrs and netlogon services while the snapshot is being produced.
Before you start the backup, use the Execute Shell Command within Kaseya Scripting to run the following two commands:
- net stop ntfrs
- net stop netlogon
After the snapshot has been created, use the Execute Shell Command within Kaseya Scripting to run the following two commands:
- net start ntfrs
- net start netlogon
- You can use Event Viewer to verify that NTFRS restarted correctly. Event ID 13501 indicates that the service restarted. Look for event ID 13516 to verify that the domain controller is running and ready for service.
3) Run a system state backup on a domain controller using ntbackup, ensuring that it completes prior to the Acronis backup.
For example, to create a backup job named "System State Backup Job" that backs up the System State data to the file D:\system_state_backup.bkf, type:
ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"
Important: A system state backup prevents you recovering the server to alternate hardware. However, it is the only method supported for recovering using BUDR in a multiple domain controller environment.
Recommendations & Considerations
The most effective restore process for a domain controller in an environment running multiple domain controllers is to build a new DC, then let AD replicate back to the new DC. This implies you should have multiple geographically dispersed dedicated boxes acting as domain controllers, with no other data stored on them beyond what is held in the directory.
Domain and active directory data is designed to be replicated around the network, and you should take advantage of this resiliency and with a good geographically dispersed design,one will never experience the issue where the domain information is lost due to disaster.
It is also common industry practice to also backup your AD data on a daily or even hourly basis using LDIFDE which will allow recovery of many AD objects without requiring an authoritative restore.
For Microsoft's official documentation on Active Directory backups, see Active Directory Operations Guide - Active Directory Backup and Restore here:
It is also common industry practice to setup a complete export of Active Directory using LDIFDE on a scheduled basis. For more information on LDIFDE, see the Using LDIFDE to import and export directory objects to Active Directory section here:
See http://kb.acronis.com/content/15827 for Acronis recommendations on information on how to use their software to backup domain controllers
(Note – “Create Snapshots using VSS” is the same option as the VSS checkbox in the Backup > Backup > Schedule Volumes & Schedule Folders pages in the Kaseya UI).
Also see http://kb.acronis.com/content/15848 for Acronis-specific information about how to restore a domain controller to different hardware.
Backup & Disaster Recovery (BUDR)
BUDR - Backup