Active Directory Backup
AD Backup Notes
Find Role Holders
Get the list of domain controllers with FSMO roles using this command:
netdom query fsmo
Check last Backup
Check when the current Active Directory domain controller was backed up last time using the repadmin tool:
repadmin /showbackup
Get the backup status for all DCs in the domain using this command:
repadmin /showbackup *
Backing Up AD Domain Controller Using Windows Server Backup
Check / Install Server Backup
Check if Windows Server Backup is installed using the Get-WindowsFeature PowerShell cmdlet:
Get-WindowsFeature Windows-Server-Backup
If WSB is not installed, you can add it with PowerShell:
Add-Windowsfeature Windows-Server-Backup –Includeallsubfeature
Powershell Backup Script
Back up a domain controller using PowerShell. To keep multiple levels of AD backup copies, we will store each backup copy in a separate directory with the date of backup creation as the folder name.
Import-Module ServerManager
[string]$date = get-date -f 'yyyy-MM-dd'
$path="\\server\backup\dc1\"
$TargetUNC=$path+$date
$TestTargetUNC= Test-Path -Path $TargetUNC
if (!($TestTargetUNC)){
New-Item -Path $TargetUNC -ItemType directory
}
$WBadmin_cmd = "wbadmin.exe START BACKUP -backupTarget:$TargetUNC -systemState -noverify -vssCopy -quiet"
Invoke-Expression $WBadmin_cmd
If the backup has been successful, you will see the following messages in the log:
- The backup operation successfully completed.
- The backup of volume (C:) completed successfully.
- The backup of the system state successfully completed [01.06.2020 09:52].
Check the time of the last DC backup:
repadmin /showbackup
If there are multiple DCs in Active Directory, you do not need to back up all of them. To save the space, it is enough to periodically backup the Active Directory database — ntds.dit file. To do it, use these commands in the above script (replace last two lines):
$WBadmin_cmd = "wbadmin start backup -backuptarget:$path -include:C:\Windows\NTDS\ntds.dit -quiet"
Invoke-Expression $WBadmin_cmd
The size of such a backup will be only 50-500MB depending on the AD database size.
Task Scheduler
For a daily AD domain controller backup, create the following task:
$Trigger= New-ScheduledTaskTrigger -At 02:00am -Daily
$User= "NT AUTHORITY\SYSTEM"
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\Backup_AD_DC.ps1"
Register-ScheduledTask -TaskName "BackupAD-DC-daily" -Trigger $Trigger -User $User -Action $Action -RunLevel Highest –Force