5

So Microsoft claims that "you cannot use a network shared folder as a backup target for a system state backup", but I've seen plenty of posts where people indicate that they are able to do this from a command prompt using wbadmin.

My end goal:

I am not concerned about backing up any of our domain controllers, because if one dies, I'll just spin up a new domain controller and let the remaining DCs replicate to it. I am concerned however about at least making sure that I have a backup of AD, in case our entire AD infrastructure were to get hosed and needed to be restored from a backup.

Here’s what I’ve done so far to accomplish the goal:

From my PDCe, I ran a successful backup to a network share using the following command:

wbadmin start systemstatebackup -backuptarget:\srv-backup\b$\srv-dc1

I then created a scheduled backup like this:

wbadmin enable backup -addtarget:\srv-backup\b$\srv-dc1 -systemstate -schedule:03:00

I verified the following day that the scheduled backup completed successfully.

So here are new questions:

  1. How do I properly backup AD? Is my current method correct?

  2. If my current backup method will only yield ONE backup at any given time (because it’s backing up to a network share and it will overwrite the previous backup each night), should I look into getting local storage to push the backups to (so I can have multiple backups), or should I just do backups of my other two DCs in the same manner; to a network share (staggering the schedules of course - then I’ll at least have one or more daily backups that I can depend on)?

  3. I've read in another thread in the community where someone said to "backup the NTDS folder from C:\Windows", but I'm assuming that is unnecessary since it gets backed up during the systemstate backup - is that correct?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
John 'Shuey' Schuepbach
  • 303
  • 2
  • 9
  • 1
    BTW, backing up DC is still a good idea. It protects you against data corruption, human error, viruses, etc. when replication only gives you availability. – dtoubelis Apr 08 '16 at 18:00
  • Even if the DC is nothing more than a DC? I would think trying to restore a DC from a backup would actually present more trouble than it's worth, especially in terms of what happens when you try to restore the DC from a backup. I thought it was generally "safer" to just spin up a new DC and let the other DCs replicate to it. – John 'Shuey' Schuepbach Apr 08 '16 at 18:05

2 Answers2

8

So Microsoft claims that "you cannot use a network shared folder as a backup target for a system state backup"

That is (or was) a restriction on the original version of Windows Backup, that came on older OSes (Vista RTM and Server 2008 RTM - this may or may not have been addressed in service packs or updates to those OSes). Windows 7+/Server 2008 R2+ handle system state backups to network folders fine.

  1. How do I properly backup AD? Is my current method correct?

No. Backing up one Domain Controller is not the same as backing up Active Directory. IF everything goes well, then sure, you might be able to get away with it. Of course, backups only exist for when everything doesn't go well, so you should always consider what could go wrong when you're coming up with a backup strategy. In this case, I see two major issues.

  1. You're only backing up one domain controller. If/when replication breaks to/from that domain controller, or that one domain controller is the source of corruption that's forcing you to restore from backups, you don't have backups of your actual Active Directory anymore.

  2. Your retention period of one backup is pretty useless. By the time you realize you have a problem, you've probably overwritten your backup with a copy that contains your problem. So, that needs fixed, and fortunately, it's not hard - store your backups in folders named with the date taken. You may also want to consider doing incremental backups to save space. Weekly fulls, daily incrementals is a pretty common strategy that strikes a nice balance between disk space and speed/ease of backup restore.

  1. If my current backup method will only yield ONE backup at any given time (because it’s backing up to a network share and it will overwrite the previous backup each night), should I look into getting local storage to push the backups to (so I can have multiple backups), or should I just do backups of my other two DCs in the same manner; to a network share (staggering the schedules of course - then I’ll at least have one or more daily backups that I can depend on)?

As stated/implied above, you should backup all your domain controllers daily. As mentioned above, put the backups in a folder that's named by the date taken to prevent backups from being overwritten, and consider incremental and/or differential backups to save space.

  1. I've read in another thread in the community where someone said to "backup the NTDS folder from C:\Windows", but I'm assuming that is unnecessary since it gets backed up during the systemstate backup - is that correct?

You are correct. The NTDS (NT Directory Service) folder contains the databases that essentially are your Active Directory Domain. A system state backup should get that folder and the databases in it. (Wouldn't hurt to verify that on your backups, of course.) As the saying goes, backups that aren't restore-tested aren't really backups.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
3

You will frequently find advice about backing up and restoring domain controllers that boils down to "don't backup your DC". This is unfortunately bad advice. You should be backing up all of your domain controllers, because you never know which one will be corrupt.

The problem isn't so much the backing up of domain controllers, it's restoring them that is the tricky part. Make sure you do your homework before restoring!

The answer to all of your problems is to invest in a "real" centralized backup solution like Veam, Acronis, Unitends, etc. These tools are AD aware, support retention periods, get the data backed up to an external disk array (or tape), and provide a single pane of glass for monitoring the backup status of all your servers.

myron-semack
  • 2,593
  • 19
  • 17
  • I must say, I never in my life, working in the field for about 20 years since Windows NT 3.51 saw or was able to interpret such message. Recovery of AD is complex and hugely details oriented procedure. However, nothing that ain't within the grasp of the complex topic. Perhaps such comments were made in light of complexity and lack of understanding. I would gladly read such posts if you could provide and example. – Vick Vega Apr 09 '16 at 21:43
  • That's a great thought msemack, IF you work for a company that understands that AND is willing to spend money to invest in infrastructure. But if you work for a company that doesn't want to spend money on enterprise backup solutions, it's considerably more challenging to "get the job done right" :-/... – John 'Shuey' Schuepbach Apr 11 '16 at 12:11