Active Directory backup

One of the most critical systems in your network is Active Directory, which represent the foundation service of your business application. It goes without saying that you should have a solid backup and recovery plans for your Active Directory backup.

I want to share with you how I usually do backup for my domain controllers. First of all, I do not trust installing any type of agents on domain controllers. My domain controllers should not by any means running any services beside directory services. Most backup solutions require some rights on the server in order to take system state backup, and giving those rights to the backup agent on a domain controller, does ring an alarm.

Instead, I always go with a simple straight forward way. I create a script that will invoke Windows Backup built in solution that exist in each Windows installation as a feature, and will ask Windows Backup to take system state backup, and throw it to a remote secure file share.

The next step is to ask the backup team to install whatever agents they want on that file share, and take backup to tape for the system state files. Simple and efficient way.

Active Directory backup 1

Active Directory backup 1

Prepare the File Server

Now as the file share will host your AD backup, it is important to protect and restrict access on that file server. I would recommend to install  it on a virtual machine with system and data drive.

Also, make sure that the administrators group on that file share is restricted to only domain admins. Do not install any other server roles on the server, and do not host any other shares on it.

Now on the D drive, create a hidden share with full permissions given to (Domain Controllers) computer group on both sharing permissions and NTFS permissions. Domain Controllers computer group is a built in security group that exist on your AD by default.

Script details

The script should be scheduled to run on any domain controller and it should run using the built in (System) scrutiny context. This will give it the right to take backups to your AD without any additional rights.

The script starts by importing the Server Manager module

Import-Module ServerManager

Then we will get the current date:

[string]$date = get-date -f 'yyyy-MM-dd'

Following that we will define the folder on the remote file share:

$TargetUNC = "\\FileServer\ADBackup$\AD-$date"

This assumes that the remote file share name is FileServer, and the hidden share we created is called ADBackups$. Notice that we are assuming that backups will be taken in a folder structure where the name of the folder contains the date on which the backup is taken.

We will check first to see if a folder is already there that contains today’s date, and if it exists, we will delete it. This means that we will not maintain two backups taken in the same date. This is only my own way. You can do yours.

Because the script will try to create folders on the remote share, Domain Controllers computer group will need access on that remote share folder.

If ( Test-Path $TargetUNC) { 
    Remove-Item -Path $TargetUNC -Recurse -Force
New-Item -ItemType Directory -Force -Path $TargetUNC

Finally, we will start taking backup using WEBADMIN command. This command requires that in order to do backups to remote file share, a user name and password should be supplied. So create a username (i.e ServiceADBackup) and give it share and NTFS permissions to write to the remote file share.

$WBadmin_cmd = "wbadmin.exe START BACKUP -backupTarget:$TargetUNC -systemState -noverify -vssCopy -quiet -user:MyUser -password:MyPassword "

Invoke-Expression $WBadmin_cmd

The final script looks like this:

 # The script should be scheduled on a domain controller and run using the (system) account.
    Import-Module ServerManager

	[string]$date = get-date -f 'yyyy-MM-dd'

    # \\FileServer\ADBackup$  represent your remote hidden share. Ignore the "AD-$date" part as the script will create it for you
	$TargetUNC = "\\FileServer\ADBackup$\AD-$date"

 	If ( Test-Path $TargetUNC) { Remove-Item -Path $TargetUNC -Recurse -Force }
  	# (Domain Controllers) built in AD group should have full NTFS and share rights on the remote hidden share \\FileServer\ADBackup$
    New-Item -ItemType Directory -Force -Path $TargetUNC

    #Make sure you create a user in your domain (myuser) that have write share and NTFS permission on the hidden share folder
	$WBadmin_cmd = "wbadmin.exe START BACKUP -backupTarget:$TargetUNC -systemState -noverify -vssCopy -quiet -user:Myuser -password:MyPassword "

	Invoke-Expression $WBadmin_cmd

Schedule Script

In order to schedule the script on your DC, open Task Scheduler, create basic task with your own schedule preference, and when you reach the Action window, make sure to put C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe on the Program/script field, and the full path of your script in the Add arguments (optional) filed.

Active Directory backup 2

When you are done, open the task again, and change the scrutiny context that the script is using, and replace it with System and check the Run with highest privileges.

Active Directory backup 3

When taking backups this way, logs for this backup are stored on that DC here (C:\Windows\Logs\WindowsServerBackup). Usually with time, those logs will consume big space, so i would run a script to delete log files from this directory on frequently.

Active Directory backup monitor script

Send me email if my AD was not backed up recently

Sometimes, people who manage Active Directory are different than people maintaining backup solution in most companies. What if you, as an Active Directory admin, wants extra assurance that your Active Directory is being backed up. You could of course ask the backup team to send you like daily or weekly report, but then it is a matter of how far do you trust such report.

I was thinking of a way to go to Active Directory, and ask it “Have you been backed up lately?“. I guess this is the ultimate source of truth. So i start digging and writing couple of PowerShell scripts to make this happen.

Note that I am not specifying how you should take backup to AD, all what matters to me here is to make sure AD backup is taken, and to alert me if it is not for X number of days.

If you go to the internet, you will find many solutions for taking backup for the domain controller’s system state. If you are using Windows Built in Backup Software, then you can write a script to search for specific event IDs under the Backup Event Log category. This was my initial thought. You will find many scripts out there who look at that place. But those scripts will only work if you are using Windows Backup Built in software.

I wanted a more direct, more reliable, more abstracted way to check AD backups. I want to go to AD and ask it : When the last time you get backed up, and then get alerts if this exceeded my backup cycle Window.

I was searching the internet about information, and I found this TechNet blog post “Use a PowerShell Script to Show Active Directory Backup Status Info”.  It is a smart way to get backup status for each AD partition, and the script is written in a way that works in all environments and no hard coding is used.

They use those line of code to get the last backup stamp for each AD partition:

Import-Module ActiveDirectory

[string]$dnsRoot = (Get-ADDomain).DNSRoot

[string[]]$Partitions = (Get-ADRootDSE).namingContexts
$contextType = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain
$context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext($contextType,$dnsRoot)
$domainController = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)

ForEach($partition in $partitions){ 
$domainControllerMetadata = $domainController.GetReplicationMetadata($partition)
$dsaSignature = $domainControllerMetadata.Item("dsaSignature") 
Write-Host "$partition was backed up $($dsaSignature.LastOriginatingChangeTime.DateTime)`n" 

What we need to do is to use the same line of codes, but instead of printing out the last backup stamp for each partition, we will configure the script to send us a nice email if the last backup stamp for any partition exceeded our backup window for AD. For example, if we are suppose to take AD backup everyday using our favorite backup solution, then an email will be sent if the last backup stamp on any AD partition is more than 1 day.

The Active Directory backup monitor script does not need any special permissions. Any domain user can execute it. The script will pull the frequency and will send email alert for you ONLY if the AD backup exceeded your backup frequency (i.e you have AD backup failure).