Select Page

Active directory backup

Active directory backup
Advertisement

Active Directory backup

One of the most critical systems in your network is Active Directory, which represent the foundation service of your business application. It goes without saying that you should have a solid backup and recovery plans for your Active Directory backup.

I want to share with you how I usually do backup for my domain controllers. First of all, I do not trust installing any type of agents on domain controllers. My domain controllers should not by any means running any services beside directory services. Most backup solutions require some rights on the server in order to take system state backup, and giving those rights to the backup agent on a domain controller, does ring an alarm.

Instead, I always go with a simple straight forward way. I create a script that will invoke Windows Backup built in solution that exist in each Windows installation as a feature, and will ask Windows Backup to take system state backup, and throw it to a remote secure file share.

The next step is to ask the backup team to install whatever agents they want on that file share, and take backup to tape for the system state files. Simple and efficient way.

Active Directory backup 1

Active Directory backup 1

Prepare the File Server

Now as the file share will host your AD backup, it is important to protect and restrict access on that file server. I would recommend to install  it on a virtual machine with system and data drive.

Also, make sure that the administrators group on that file share is restricted to only domain admins. Do not install any other server roles on the server, and do not host any other shares on it.

Now on the D drive, create a hidden share with full permissions given to (Domain Controllers) computer group on both sharing permissions and NTFS permissions. Domain Controllers computer group is a built in security group that exist on your AD by default.

Script details

The script should be scheduled to run on any domain controller and it should run using the built in (System) scrutiny context. This will give it the right to take backups to your AD without any additional rights.

The script starts by importing the Server Manager module

Then we will get the current date:

Following that we will define the folder on the remote file share:

This assumes that the remote file share name is FileServer, and the hidden share we created is called ADBackups$. Notice that we are assuming that backups will be taken in a folder structure where the name of the folder contains the date on which the backup is taken.

We will check first to see if a folder is already there that contains today’s date, and if it exists, we will delete it. This means that we will not maintain two backups taken in the same date. This is only my own way. You can do yours.

Because the script will try to create folders on the remote share, Domain Controllers computer group will need access on that remote share folder.

Finally, we will start taking backup using WEBADMIN command. This command requires that in order to do backups to remote file share, a user name and password should be supplied. So create a username (i.e ServiceADBackup) and give it share and NTFS permissions to write to the remote file share.

The final script looks like this:

Schedule Script

In order to schedule the script on your DC, open Task Scheduler, create basic task with your own schedule preference, and when you reach the Action window, make sure to put C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe on the Program/script field, and the full path of your script in the Add arguments (optional) filed.

Active Directory backup 2

When you are done, open the task again, and change the scrutiny context that the script is using, and replace it with System and check the Run with highest privileges.

Active Directory backup 3

When taking backups this way, logs for this backup are stored on that DC here (C:\Windows\Logs\WindowsServerBackup). Usually with time, those logs will consume big space, so i would run a script to delete log files from this directory on frequently.

Active Directory backup monitor script

Send me email if my AD was not backed up recently

Sometimes, people who manage Active Directory are different than people maintaining backup solution in most companies. What if you, as an Active Directory admin, wants extra assurance that your Active Directory is being backed up. You could of course ask the backup team to send you like daily or weekly report, but then it is a matter of how far do you trust such report.

I was thinking of a way to go to Active Directory, and ask it “Have you been backed up lately?“. I guess this is the ultimate source of truth. So i start digging and writing couple of PowerShell scripts to make this happen.

Note that I am not specifying how you should take backup to AD, all what matters to me here is to make sure AD backup is taken, and to alert me if it is not for X number of days.

If you go to the internet, you will find many solutions for taking backup for the domain controller’s system state. If you are using Windows Built in Backup Software, then you can write a script to search for specific event IDs under the Backup Event Log category. This was my initial thought. You will find many scripts out there who look at that place. But those scripts will only work if you are using Windows Backup Built in software.

I wanted a more direct, more reliable, more abstracted way to check AD backups. I want to go to AD and ask it : When the last time you get backed up, and then get alerts if this exceeded my backup cycle Window.

I was searching the internet about information, and I found this TechNet blog post “Use a PowerShell Script to Show Active Directory Backup Status Info”.  It is a smart way to get backup status for each AD partition, and the script is written in a way that works in all environments and no hard coding is used.

They use those line of code to get the last backup stamp for each AD partition:

What we need to do is to use the same line of codes, but instead of printing out the last backup stamp for each partition, we will configure the script to send us a nice email if the last backup stamp for any partition exceeded our backup window for AD. For example, if we are suppose to take AD backup everyday using our favorite backup solution, then an email will be sent if the last backup stamp on any AD partition is more than 1 day.

The Active Directory backup monitor script does not need any special permissions. Any domain user can execute it. The script will pull the frequency and will send email alert for you ONLY if the AD backup exceeded your backup frequency (i.e you have AD backup failure).

 

About The Author

Ammar Hasayen

Ammar is a digital transformer, cloud architect, public speaker and blogger. He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing. His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional. Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Hi, I’m Ammar Hasayen

Ammar-New-MVP

About Me

Cloud Architect | Cybersecurity | CISSP | Microsoft MVP | Pluralsight Author | Book Author | International Speaker | World Explorer | @ammarhasayen

 

LinkedIn Profile

My Pluralsight Course

Speaking at Microsoft Ignite Dubai

Ammar Hasayen Speaker Ignite

Recent Posts

Be The First To Know

Be The First To Know

Be the first to know about my new YouTube videos and hot blog posts. Don't worry, I will not spam your inbox and even better, you can unsubscribe anytime.

You have Successfully Subscribed!

Pin It on Pinterest